Russian Hackers Use Linux VMs on Windows to Evade Detection in Cyber Espionage Campaign
Security researchers from Bitdefender, in collaboration with Georgia’s Computer Emergency Response Team (CERT), have uncovered a sophisticated cyber espionage campaign by the Russian hacking group Curly COMrades, targeting institutions in Georgia and Moldova since July 2025.
The attackers exploited Microsoft Hyper-V virtualization on Windows hosts to deploy Alpine Linux-based virtual machines (VMs) containing reverse-shell malware, including CurlyShell and CurlCat. By configuring the VMs to route traffic through the host’s Default Switch network adapter, the hackers masked malicious outbound communications, making them appear as legitimate host activity. This technique effectively bypassed host-based EDR (Endpoint Detection and Response) defenses.
The campaign involved PowerShell scripts for remote authentication and arbitrary command execution, enabling persistent access. While Curly COMrades’ activities align with Russian geopolitical interests, no direct link to known Russian APT groups has been established. Victims included Georgian government and judicial organizations and Moldovan energy companies, though specific entities were not disclosed.
First identified in 2024, the group’s focus on Georgia a country with Russian-backed breakaway regions suggests strategic surveillance of diplomatic and security efforts. The use of VMs to conceal malware execution represents an escalation in evasion tactics, complicating detection for traditional security tools.
Georgia Technology Authority (GTA) cybersecurity rating report: https://www.rankiteo.com/company/georgia-technology-authority
"id": "GEO1773194386",
"linkid": "georgia-technology-authority",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Government',
'location': 'Georgia',
'type': 'Government and Judicial Organizations'},
{'industry': 'Energy',
'location': 'Moldova',
'type': 'Energy Companies'}],
'attack_vector': ['Virtualization Exploitation',
'Reverse-Shell Malware',
'PowerShell Scripts'],
'date_detected': '2025-07',
'description': 'Security researchers from Bitdefender, in collaboration with '
'Georgia’s Computer Emergency Response Team (CERT), have '
'uncovered a sophisticated cyber espionage campaign by the '
'Russian hacking group Curly COMrades, targeting institutions '
'in Georgia and Moldova since July 2025. The attackers '
'exploited Microsoft Hyper-V virtualization on Windows hosts '
'to deploy Alpine Linux-based virtual machines (VMs) '
'containing reverse-shell malware, including CurlyShell and '
'CurlCat. By configuring the VMs to route traffic through the '
'host’s Default Switch network adapter, the hackers masked '
'malicious outbound communications, making them appear as '
'legitimate host activity. This technique effectively bypassed '
'host-based EDR (Endpoint Detection and Response) defenses. '
'The campaign involved PowerShell scripts for remote '
'authentication and arbitrary command execution, enabling '
'persistent access. Victims included Georgian government and '
'judicial organizations and Moldovan energy companies.',
'motivation': 'Geopolitical surveillance',
'post_incident_analysis': {'root_causes': 'Exploitation of Microsoft Hyper-V '
'virtualization to deploy Linux VMs '
'with reverse-shell malware, '
'evading EDR detection'},
'references': [{'source': 'Bitdefender'}],
'response': {'third_party_assistance': 'Bitdefender, Georgia’s CERT'},
'threat_actor': 'Curly COMrades',
'title': 'Russian Hackers Use Linux VMs on Windows to Evade Detection in '
'Cyber Espionage Campaign',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'Microsoft Hyper-V virtualization'}