Security Research | Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines
Ctrl-Alt-DECODE is a newsletter for security practitioners and anyone interested in learning about the latest developments in the field. Our goal is to provide a dedicated resource for relevant, technical, and actionable threat intelligence, focused on our own original research rather than rehashing existing news.
TL;DR This investigation, conducted with support from the Georgian CERT functioning under the Operative-Technical Agency of Georgia, uncovered new tools and techniques used by the Curly COMrades threat actor. They established covert, long-term access to victim networks by abusing virtualization features (Hyper-V) on compromised Windows 10 machines to create a hidden remote operating environment.
We first documented the Curly COMrades threat actor's core toolkit and methodology in August 2025. Subsequent research revealed additional details and tooling. The most notable finding is the exploitation of legitimate virtualization technologies, demonstrating how threat actors are innovating to bypass standard EDR solutions as they become commodity tools.
The attackers enabled the Hyper-V role on selected systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat. By isolating the malware and its execution environment within a VM, the attackers effectively bypassed the behavioral and static components of many traditional host-based security tools.
For a full breakdown of the threat, including enriched data and comprehensive analysis, you can read our complete research report and check our Threat Intelligence Platform.
Read the full research here: https://bitdefend.me/4nEnEQv
Explore enriched data on our IntelliZone Platform: https://bitdefend.me/4qIxeVb
Access list of Indicators of Compromise (IOCs) on GitHub: https://bitdefend.me/3JFF8Ot
📅 On November 13, we invite you to join our LinkedIn Live discussion, where our experts will provide a full breakdown of the Curly COMrades research and answer your questions. We're excited to welcome the Bitdefender Labs researcher who led the forensic analysis joining us in the chat, giving you a rare opportunity to ask technical questions about the research, or even what it's really like to work in cybersecurity forensics.
Join the conversation here: Ctrl-Alt-DECODE | Ep. 3 | Curly COMrades: Hyper-V Isolation for EDR Evasion
Thank you for reading our newsletter, designed to provide you with exclusive threat intelligence, original research, and actionable advisories directly from Bitdefender Labs and MDR. We want to be clear that this is not a sales or marketing publication; it is a resource dedicated to providing only relevant, technical, and actionable threat intelligence. We invite you to subscribe, share this newsletter with your network, and tell us how we're doing at ✉️ decode@bitdefender.com.