A Russia-aligned cyber group known as “Curly COMrades” has been observed using Linux-based virtual machines (VMs) to conceal malicious activity within Windows environments, effectively bypassing endpoint detection systems, according to new research from Bitdefender.
The cybersecurity firm’s latest report—produced in collaboration with CERT Georgia under the Operative-Technical Agency of Georgia—reveals that the threat actors deploy lightweight Alpine Linux VMs inside compromised Windows systems to establish long-term persistence and conduct espionage operations.
“Their primary objective appears to be long-term covert access rather than financial gain or disruption,” said Martin Zugec, Technical Solutions Director at Bitdefender.
https://)
The attackers enable Hyper-V on victim systems and import a minimal 120MB Alpine Linux VM configured to run two custom tools:
CurlyShell – a persistent reverse shell for command-and-control (C2) communication.
CurlCat – a reverse proxy used to tunnel and obfuscate network traffic.
By operating inside a Linux VM, the malware’s activities remain invisible to most Windows-based endpoint detection and response (EDR) tools. All malicious network traffic appears to originate from the legitimate host system, complicating detection efforts.
Bitdefender researcher Victor Vrabie noted that EDR solutions must be complemented by host-based network inspection and system-hardening tools to detect such activity.
Advanced Persistence Tactics
In addition to virtualization-based evasion, investigators discovered two PowerShell scripts used for credential theft and persistence:
Injecting Kerberos tickets into the Local Security Authority Subsystem Service (LSASS) for remote authentication and command execution.
Creating local user accounts across domain-joined systems to maintain access.
Zugec added that while virtualization in attacks isn’t new, the combination of lightweight VMs, custom malware, and long-term stealth marks “a significant evolution” in adversarial tradecraft.
“Deploying a dedicated Linux VM for isolated C2 operations lets malware run completely outside the host OS, bypassing behavioral and memory-based scans,” Zugec explained.
Mitigation and Defense
Bitdefender warns that as EDR and XDR tools become more common, attackers are adapting with techniques that sidestep their detection scope. To defend against Curly COMrades’ tactics, the company recommends:
Implementing defense-in-depth with multiple overlapping security layers.
Monitoring for abnormal LSASS activity and unauthorized Kerberos ticket creation.
Using network-based threat detection to identify unusual outbound traffic from VMs.
Smaller organizations should consider Managed Detection and Response (MDR) services for proactive monitoring.
“Enterprises must begin designing environments that are inherently hostile to attackers,” Vrabie emphasized.
