Cybersecurity experts have recently discovered an advanced and insidious malware called Curly COMrades, which has been in use since late 2023. The malware operates as a headless background daemon and is developed in C++. Most recently, it has been blamed for a wave of cyberattacks against Georgia and Moldova. Of particular note is its ability to avoid detection from standard endpoint detection and response (EDR) systems. It accomplishes this by employing state of the art techniques, such as virtualization.
Once deployed, Curly COMrades connects to a command-and-control (C2) server, allowing threat actors to run commands remotely and encrypted. The malware opens a reverse shell, giving attackers a permanent backdoor to infected machines. In the August 2025 report, security researchers Victor Vrabie, Adrian Schipor, and Martin Zugec discovered Curly COMrades. In concert, they emphasized its chilling effect on our national security.
Advanced Evasion Techniques
A core feature of Curly COMrades is its ability to proxy and tunnel different types of traffic using a variety of tools. These tools like Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH tunnel. The rapid deployment of such tools underpins the malware’s ability to remain agile both in command structure and operational effectiveness.
Researchers noted that “the threat actor demonstrated a clear determination to maintain a reverse proxy capability, repeatedly introducing new tooling into the environment.” This nimbleness is further evidence that the threat actor may be highly resourced. They probably support the interests of Russia and seek to take advantage of weaknesses in targeted regions.
Curly COMrades provides a reverse engineering platform that configures the malware and its execution environment in a VM. This new powerful approach largely circumvents all conventional host-based EDR detections. Now, this tactic increases the malware’s stealth. It renders more difficult the task of cybersecurity professionals who are working to neutralize the threat.
Persistence and Command Execution
To keep it going and make sure it remains sharp and useful, Curly COMrades uses different strategic and tactical tools for keeping Curliness Persistent in targeted systems. One of the more interesting elements is a CurlyShell, an undocumented ELF binary which establishes a persistent reverse shell inside the virtual machine. This includes the ability for attackers to stay one step ahead, even after detection efforts have begun.
For remote command execution, Curly COMrades uses a PowerShell script, which further enriches the operation’s capabilities. This blend of tactics makes detection much more difficult and gives attackers long-term access to sensitive control systems.
According to cyber security company Bitdefender, these tools were set up and used in a way that kept control flexible and adaptable. These types of attributes are signs of significant sophistication and forethought in the design of the malware.