The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware.

According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine.

"This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," security researcher Victor Vrabie, along with Adrian Schipor and Martin Zugec, said in a technical report.

Curly COMrades was first documented by the Romanian cybersecurity vendor in August 2025 in connection with a series of attacks targeting Georgia and Moldov

See Full Page