Today, we’re sitting down with Dominic Jainy, a seasoned IT professional with deep expertise in artificial intelligence, machine learning, and blockchain, who has been closely following emerging cybersecurity threats. With a keen interest in how cutting-edge technologies intersect with security challenges, Dominic offers a unique perspective on the evolving tactics of threat actors. In this interview, we dive into the sophisticated methods of a pro-Russian hacker group known as the “Curly COMrades,” exploring their use of Linux virtual machines on Windows systems for espionage, the custom tools they deploy, and the broader implications for endpoint security. We’ll unpack the innovative ways they evade detection and discuss what organizations can do to protect themselves against such advanced threats.
Can you give us an overview of who the “Curly COMrades” are and what drives their operations?
Sure, the “Curly COMrades” are a threat actor group aligned with Russian geopolitical interests, primarily focused on espionage and maintaining long-term, covert access to targeted networks. Unlike many cybercriminals who aim for quick financial gain or disruption, this group prioritizes staying under the radar for extended periods. Their activities suggest a strategic intent to gather intelligence or influence outcomes in geopolitical hotbeds. They’ve been on the radar of security researchers for a while, with initial reports surfacing a few months ago, and their tactics have evolved to include some really sophisticated persistence mechanisms.
How are these hackers leveraging Linux-based virtual machines on Windows devices to carry out their attacks?
What they’re doing is pretty clever. They compromise Windows systems and then enable Hyper-V, a legitimate virtualization feature, to set up lightweight Linux virtual machines—specifically, a minimal Alpine Linux setup. This VM takes up just 120MB of disk space and 256MB of memory, making it barely noticeable. Inside this hidden environment, they run custom tools for command-and-control and traffic tunneling. By operating from within a VM, they create a layer of separation from the host system, which makes their activities much harder to detect by standard security tools.
Can you tell us more about the custom tools they use, like CurlyShell and CurlCat, and how they contribute to their stealth?
Absolutely. CurlyShell is a reverse shell they’ve built for persistent communication with their command-and-control servers. It allows them to execute commands remotely while keeping a low profile, since it’s running inside the VM rather than directly on the Windows host. Then there’s CurlCat, which acts as a reverse proxy to tunnel and mask their traffic. By routing malicious communications through this tool, they make it look like normal activity coming from the host’s legitimate IP address. This combo is a big deal because it helps them blend in and avoid raising red flags with network monitoring tools.
Why is running a Linux VM such an effective strategy for evading traditional endpoint detection and response tools?
It’s effective because most endpoint detection and response, or EDR, solutions are designed to monitor the host operating system directly. When malicious activity runs inside a virtual machine, it’s often outside the visibility of these tools. The VM acts like a black box—EDR might not even know it’s there, let alone inspect what’s happening inside. Plus, any outbound traffic looks like it’s coming from the host itself, which is usually trusted. This setup bypasses behavioral analysis, signature-based detection, and even memory scanning that EDRs rely on, making it a real challenge to catch.
The group also uses PowerShell scripts in their attacks. Can you explain what these scripts do and how they help with persistence?
They’ve got a couple of notable PowerShell scripts in their toolkit. One injects a Kerberos ticket into the Local Security Authority Subsystem Service, or LSASS, which is a critical Windows process for authentication. This lets them authenticate remotely and execute commands across the network without needing to steal credentials each time. The other script creates a local account on domain-joined machines, which ensures they have a backdoor for access even if other entry points are closed off. Both of these help them maintain a foothold in the network over long periods, which is core to their espionage goals.
How does the approach of Curly COMrades compare to other threat actors you’ve encountered or studied?
While the individual pieces of their strategy aren’t entirely new—virtualization has been used before, like in ransomware attacks to run encryptors—the way Curly COMrades combine these tactics is pretty unique. Deploying a dedicated, minimal Linux VM specifically for long-term command-and-control is a step beyond what we’ve typically seen. It’s not just about evasion; it’s about complete isolation from the host’s security mechanisms. This level of sophistication and focus on covert persistence sets them apart and signals a worrying trend toward more advanced, hard-to-detect operations.
What can organizations do to protect themselves against threats like those posed by Curly COMrades?
Organizations need to move beyond relying on a single layer of security and adopt a defense-in-depth approach. That means combining endpoint protection with network security tools that can spot unusual traffic patterns, even if they’re coming from a seemingly legitimate source. Monitoring for abnormal access to processes like LSASS or unexpected Kerberos ticket creation is also key, since these happen outside the VM and are detectable. For smaller organizations, managed detection and response services can provide the expertise and resources they might lack in-house. Ultimately, it’s about designing your entire environment to be hostile to attackers—hardening systems, restricting access, and staying proactive.
What is your forecast for the future of endpoint security in light of evolving tactics like these?
I think we’re going to see endpoint security become much more dynamic and integrated with other layers of defense. As threat actors like Curly COMrades get better at evading traditional tools, we’ll need solutions that can peer into virtualized environments and analyze behavior at both the host and network levels. AI and machine learning will play a bigger role in identifying anomalies that humans or static rules might miss. But it’s also a cat-and-mouse game—attackers will keep innovating, so the focus has to be on resilience and rapid response, not just prevention. I expect we’ll see a push toward zero-trust architectures and more emphasis on continuous monitoring to stay ahead of these sophisticated threats.