攻击活动核心特征
- 组织背景
- 首次于2025年8月由Bitdefender披露
- 主要攻击目标:格鲁吉亚和摩尔多瓦
- 活动时间线:自2023年底持续活跃
- 地缘政治关联:评估显示与俄罗斯利益保持一致
- 技术突破
- 创新性地利用Hyper-V虚拟化技术
- 部署极简Alpine Linux虚拟机(120MB磁盘/256MB内存)
- 成功绕过传统主机EDR检测机制
- 建立隐蔽的持久化操作环境
- 工具链组成
- 核心工具:
- CurlyShell:未文档化的ELF反向shell
- CurlCat:定制反向代理工具
- 支持工具:
- RuRat:持久化访问
- Mimikatz:凭据窃取
- MucorAgent:模块化.NET植入程序
- 隧道工具:
- Resocks/Rsockstun/Ligolo-ng等多种代理方案
- 核心工具:
技术实现细节
- 恶意软件特性
- 采用C++编写
- 以后台守护进程模式运行
- 基于HTTP协议进行C2通信(GET/POST)
- 支持加密命令执行
- 攻击架构优势
- 虚拟机隔离有效规避安全检测
- 双工具协同确保操作灵活性
- 模块化设计增强适应性
- 轻量化部署降低被发现概率
防御建议
- 检测重点
- 监控异常Hyper-V活动
- 关注小型Linux虚拟机部署
- 检测异常HTTP双向通信流量
- 防护策略
- 加强虚拟化环境安全监控
- 实施网络层行为分析
- 建立针对性的IoCs检测机制
该攻击活动展示了现代APT组织如何通过创新性的技术手段突破传统防御体系,其虚拟化逃逸技术值得网络安全团队重点关注和防范。
The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware.
According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine.
“This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat,” security researcher Victor Vrabie, along with Adrian Schipor and Martin Zugec, said in a technical report.
Curly COMrades was first documented by the Romanian cybersecurity vendor in August 2025 in connection with a series of attacks targeting Georgia and Moldova. The activity cluster is assessed to be active since late 2023, operating with interests that are aligned with Russia.
These attacks were found to deploy tools like CurlCat for bidirectional data transfer, RuRat for persistent remote access, Mimikatz for credential harvesting, and a modular .NET implant dubbed MucorAgent, with early iterations dating back all the way to November 2023.
In a follow-up analysis conducted in collaboration with Georgia CERT, additional tooling associated with the threat actor has been identified, alongside attempts to establish long-term access by weaponizing Hyper-V on compromised Windows 10 hosts to set up a hidden remote operating environment.
“By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections,” the researchers said. “The threat actor demonstrated a clear determination to maintain a reverse proxy capability, repeatedly introducing new tooling into the environment.”
Besides using Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods for proxy and tunneling, Curly COMrades has employed various other tools, including a PowerShell script designed for remote command execution and CurlyShell, a previously undocumented ELF binary deployed in the virtual machine that provides a persistent reverse shell.
Written in C++, the malware is executed as a headless background daemon to connect to a command-and-control (C2) server and launch a reverse shell, allowing the threat actors to run encrypted commands. Communication is achieved via HTTP GET requests to poll the server for new commands and using HTTP POST requests to transmit the results of the command execution back to the server.
“Two custom malware families – CurlyShell and CurlCat – were at the center of this activity, sharing a largely identical code base but diverging in how they handled received data: CurlyShell executed commands directly, while CurlCat funneled traffic through SSH,” Bitdefender said. “These tools were deployed and operated to ensure flexible control and adaptability.”