Security researchers from Bitdefender and the Georgian CERT have exposed a new malware operation by CurlyCOMrades. They discovered that the hacker group deployed reverse-shell malware within Alpine Linux VMs on Windows hosts, targeting institutions in Georgia and Moldova since July 2025.
Exploitation Details
The attackers utilized the Hyper-V virtualization feature, disabling its management interface to conceal activities. They installed an Alpine Linux VM equipped with CurlyShell and CurlCat implants, along with PowerShell scripts, to facilitate unauthorized remote access and command execution.
The VM used the Hyper-V DefaultSwitch adapter, ensuring all VM traffic was routed through the host's network. This method masked the malicious activities as legitimate traffic, thereby bypassing endpoint detection response (EDR) systems on the host network.
Implications and Findings
The malware affected governmental and judicial bodies in Georgia and energy firms in Moldova. Though the exact victims remain unnamed, Bitdefender's investigation highlights the geopolitical motivations possibly aligning with Russian state interests, despite a lack of direct evidence linking them to the Russian government.
CurlyCOMrades, identified in 2024, continue to pose a significant threat through advanced network exploitation techniques, complicating detection efforts and raising surveillance needs in targeted regions.
