A Hacker's Matryoshka Doll: Windows inside a PC, Linux inside Windows, a Virus inside Linux — The Antivirus Gave Up
The Curly COMrades group has been attacking the infrastructure of Georgia and Moldova since the end of 2023.
The Curly COMrades group has been attacking the infrastructure of Georgia and Moldova since the end of 2023.
Malicious actors from the Curly COMrades group have found a way to hide malicious activity from detection systems by using Windows virtualization capabilities. As discovered by the Bitdefender team, the attackers manually activate the Hyper-V role on compromised devices and deploy a lightweight Alpine Linux-based virtual machine to execute malicious code in an isolated environment.
The virtual machine created in this way takes up only 120 megabytes of disk space and uses only 256 megabytes of RAM. Inside it, a CurlyShell reverse shell and the CurlCat proxy tool are deployed, allowing the attackers to connect to the system and execute commands without directly interacting with the victim's main operating system. This approach hinders the work of traditional detection tools focused on processes within Windows.
Curly COMrades has been active since the end of 2023 and was previously linked to cyberattacks on the infrastructure of Georgia and Moldova. In August 2025, Bitdefender first published research describing this group's methods and tools. At that time, it involved the use of CurlCat for bidirectional data transfer, RuRat for remote access, Mimikatz for credential theft, and the modular .NET implant MucorAgent.
A new investigation, conducted in collaboration with the Georgian CERT, revealed the attackers' updated toolkit. On infected systems with Windows 10, attempts to create isolated virtual environments, inside which malicious activity continues, have been recorded. This approach allows them to maintain access to targets even if the basic system components are updated or removed.
Among the tools used is a PowerShell script for remote command execution, as well as a previously unknown Linux executable named CurlyShell. This compact C++ application runs as a background daemon and establishes an encrypted connection with the command-and-control (C2) server, receiving commands via HTTP GET requests and sending results via POST requests.
According to Bitdefender, CurlyShell and CurlCat share a common codebase but differ in how they process received information. The former executes commands directly, while the latter routes traffic through SSH, ensuring flexibility and resilience of communication channels. Additionally, the threat actors use proxies and tunneling through tools like Resocks, Ligolo-ng, CCProxy, Stunnel, and others, striving to conceal their actions as much as possible.
