Cybersecurity researchers have uncovered a new espionage campaign linked to a Russian hacker group known as Curly COMrades. According to Romanian firm Bitdefender, the attackers found a way to bypass antivirus software by hiding their malware inside virtual machines — special programs that allow a computer to emulate multiple systems at once, as reported by The Record.
The hackers use a built-in Windows feature called Hyper-V to create a small virtual machine based on Alpine Linux. It occupies only about 120 megabytes and serves as a shelter for two malicious tools — CurlyShell and CurlCat. These programs enable control of infected computers and stealthy data theft.
Bitdefender experts explained that this technique helps the attackers remain undetected because antivirus and security systems most often inspect only the host operating system and do not see what is happening inside the virtual machines.
According to the researchers, the campaign has been active since July 2025. Curly COMrades previously attacked government and judicial institutions in Georgia and an energy company in Moldova. Although victim names are not disclosed in the new report, the investigation involved Georgia’s computer emergency response team, CERT-GE.
Later, Georgian authorities seized one of the servers used by the hackers, which allowed investigators to trace their entire infrastructure. Bitdefender notes the group has been active at least since 2024 and targets key organizations in countries experiencing geopolitical shifts. Its actions align with the interests of the Russian government.
Experts say the hackers prefer not to hunt for zero-day vulnerabilities but instead rely on available open tools, betting on stealth, flexibility, and a low risk of detection.
