Curly COMrades: Evading Detection with Stealthy Hyper-V Virtual Machines

This article examines a recent investigation into the Curly COMrades threat actor who has been actively evading detection using advanced stealth techniques. Conducted with assistance from the Georgian National CERT, this research highlights the innovative exploitation of Hyper-V virtual machines to maintain covert access to compromised Windows environments.

Curly COMrades: Stealthy Hyper-V Virtual Machines

Initially discovered in August 2025, the Curly COMrades group operates to further Russian geopolitical interests. Recent forensic analysis has revealed their unique approach in utilizing virtualization features of Windows. By enabling Hyper-V on compromised systems, they created minimalistic virtual machines that serve as concealed operational environments.

Key Findings from the Investigation

• The attackers established long-term access by deploying Alpine Linux-based VMs that host custom malware.
• Two primary malware components, CurlyShell and CurlCat, enable remote access and traffic tunneling.
• The Hyper-V feature was exploited to create isolated operational bases, making detection via traditional security solutions more challenging.

Malware Configuration and Deployment

The deployed VMs were lightweight, occupying only 120MB of disk space and utilizing a mere 256MB of memory. This minimal footprint reduces the likelihood of detection while providing necessary tools for maintaining remote access.

The operation typically began with remote commands that enabled Hyper-V, followed by downloading and importing the VM containing the Curly COMrades malware. The configuration effectively masks malicious activities within the legitimate network traffic of the infected host.

PowerShell and Kerberos Abuse

Among the techniques employed, attackers utilized PowerShell scripts to gain further control. Notably, a customized script injected Kerberos tickets into LSASS, facilitating lateral movements across networks. Additionally, the group deployed other scripts for creating local accounts, setting up persistence mechanisms that ensure continued access even after remediation efforts.

International Collaboration and Impact

The investigation benefitted from collaboration with the Georgian CERT. Their efforts included identifying and analyzing compromised infrastructures used by the attackers. The insights garnered led to a comprehensive understanding of how the Curly COMrades maintained operational security and communication capabilities through customized server configurations and traffic management.

Recommendations for Security Defense

Organizations must enhance their security measures to counteract advanced evasion tactics employed by threat actors like Curly COMrades. Recommended strategies include:

• Implementing Proactive Hardening and Attack Surface Reduction solutions.
• Utilizing Network Attack Defense systems for detecting anomalies and malicious communication patterns.
• Adopting Managed Detection and Response services for organizations with limited security resources.

As EDR solutions become more common, the onus falls on organizations to adopt a defense-in-depth approach, safeguarding their environments against evolving threats.

Conclusion

The Curly COMrades case sheds light on the innovative methodologies utilized in modern cyber threats. By leveraging technologies such as Hyper-V virtualization, these threat actors have demonstrated a sophisticated understanding of operational security. Continuous updates and robust security measures will be crucial in mitigating risks associated with such advanced tactics.