VERY IMPORTANT

This investigation uncovered new tools and techniques used by the Curly COMrades threat actor to establish covert, long-term access to victim networks. The attackers exploited Hyper-V virtualization on compromised Windows 10 machines to create hidden remote operating environments. They deployed a minimalistic Alpine Linux-based virtual machine hosting custom malware for reverse shell and proxy operations. This approach effectively bypassed traditional host-based EDR detections. The threat actor also demonstrated persistence through PowerShell scripts, Kerberos ticket manipulation, and local account creation. International collaboration with the Georgian CERT aided in analyzing the command and control infrastructure.