Russia-Linked ‘Curly COMrades’ Use Malicious Virtual Machines for Espionage
Recent research has unveiled a sophisticated cyber-espionage operation utilizing virtual machines to conduct covert attacks. This campaign, attributed to a group named Curly COMrades, has been active since July 2023 and is believed to align with Russian geopolitical interests, according to Romania-based cybersecurity firm Bitdefender.
Overview of the Curly COMrades Campaign
The Curly COMrades group has previously been linked to espionage activities targeting government institutions in Georgia and a key energy company in Moldova. Bitdefender’s report did not disclose specific victims but indicated that the investigation was supported by Georgia’s national computer emergency response team, CERT-GE.
Attack Methodology
The hackers maintained covert access to targeted networks by exploiting Hyper-V, a Windows feature that allows for the operation of virtual machines. They utilized a lightweight Alpine Linux virtual machine, which occupied only 120 megabytes of disk space. This contained two custom malware tools, CurlyShell and CurlCat, specifically designed to control compromised systems and exfiltrate sensitive information.
- CurlyShell: Used for system control.
- CurlCat: Employed for data theft.
Bitdefender noted that this method effectively evaded conventional threat detection systems, which predominantly monitor the primary operating system rather than its virtual counterparts.
Targeting and Geopolitical Implications
Active since at least 2024, Curly COMrades typically focuses on critical organizations in countries experiencing significant geopolitical changes. Their operations appear to dovetail with the strategic goals of the Russian government.
The hackers exhibit a preference for leveraging publicly available and open-source tools. This approach emphasizes discretion, adaptability, and a minimized chance of detection, steering away from exploiting new vulnerabilities.
The Context of Threats in Georgia and Moldova
Both Georgia and Moldova, former Soviet republics, are seen as prime targets for Russian cyber operations. Moldova recently accused Russia of attempting to disrupt its parliamentary elections through coordinated cyberattacks and disinformation strategies, where a pro-European party gained majority control.
Georgia has faced similar threats, with Moscow employing hybrid tactics that combine military pressure, economic sanctions, and propaganda to undermine its democratic processes and institutional integrity.
As the geopolitical landscape evolves, the activities of groups like Curly COMrades underscore the persistent threat posed by cyber-espionage, particularly in regions with complex political dynamics.
