Campaigns
Curly COMrades: Hidden Hyper-V VM Operation

Curly COMrades: Hidden Hyper-V VM Operation

CurlyCOMradesHyper-VVirtualMachineEvasionKerberosCyberEspionage
Curly COMrades is a cyber-espionage campaign that hides Windows malware in tiny Alpine Linux virtual machines that operate on Hyper-V. The gang turns on Hyper-V on infected hosts, makes a small VM that looks like WSL, and runs two ELF implants, CurlyShell and CurlCat, to keep command, control, and tunneling inside the VM. They employ PowerShell scripts to stay in one place and Kerberos and local accounts to move around.

Indicators of Compromise

No domains found for this campaign

APT Groups1

Curly COMradesRussia

Overview : Curly COMrades is a Russian-speaking threat actor group with links to disinformation campaigns and coordinated cyber operations across Eastern Europe. The group is suspected of running influence operations in parallel with traditional espionage. Key Characteristics :- Focuses on psychological operations, information warfare, and cyber influence- Uses custom implants and credential-harvesting tools- Operates under personas aligned with hacktivist or pro-Russian themes Indicators of Attack (IoA) :- Use of phishing pages mimicking NATO and EU entities- Deployment of backdoors and web shell scripts- Hosting of fake news content on compromised media sites Recent Activities and Trends :- Disinformation around Ukraine conflict- Credential phishing targeting government officials- Telegram-based coordination with other aligned actors

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1543.003 - Create or Modify System Process: Windows Service


ID

Name

Analytic ID

Analytic Description

DET0552

Detection of Windows Service Creation or Modification

AN1527

Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names.


T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions


ID

Name

Analytic ID

Analytic Description

DET0450

Detection Strategy for Kernel Modules and Extensions Autostart Execution

AN1243

Monitor kernel module load/unload activity via modprobe, insmod, rmmod, or direct manipulation of /lib/modules. Correlate with installation of kernel headers, compilation commands, or downloads of .ko files. Detect anomalies in unsigned module loading or repeated module load attempts under non-root users.

AN1244

Detect user-initiated kextload commands or modifications to /Library/Extensions. Correlate with changes to KextPolicy database or unauthorized developer signing identities. Alert on attempts to disable SIP or load legacy extensions from unsigned sources.


T1543.003 - Windows Service


ID

Name

Analytic ID

Analytic Description

DET0552

Detection of Windows Service Creation or Modification

AN1527

Detects creation or modification of Windows Services through command-line tools (e.g., sc.exe, powershell.exe), Registry key changes under HKLM\System\CurrentControlSet\Services, and service execution under SYSTEM with unsigned or anomalous binary paths. Detects privilege escalation via driver installation or CreateServiceW usage. Correlates parent-child lineage, startup behavior, and rare service names.


More info


Observed Countries2

GE (788)
MD (512)