Researchers have uncovered a cyber-espionage campaign that hides malicious tools inside widely used software products known as virtual machines — a tactic that shows how hackers are innovating to bypass common security defenses.

The operation, active since July, was attributed to a threat actor known as Curly COMrades, which is believed to operate in support of Russian interests, Romania-based cybersecurity firm Bitdefender said in a report on Tuesday.

Earlier this year, the group was linked to espionage campaigns against government and judicial bodies in Georgia and an energy company in Moldova. Bitdefender did not identify the victims in its latest report but said the investigation was carried out with help from Georgia’s national computer emergency response team (CERT-GE).

According to the report, the hackers maintained long-term, covert access to victims’ networks by abusing Hyper-V, a built-in Windows feature that allows users to run virtual machines — software that lets one computer behave like several separate systems.

The attackers installed an Alpine Linux virtual machine occupying just 120 megabytes of disk space. Inside it, they ran two custom malware tools, CurlyShell and CurlCat, used to control infected systems and steal data.

“The VM was not packed with large offensive frameworks or penetration-testing tools; instead, it was a lightweight implant designed for a very specific purpose,” Bitdefender said.

The method allowed the hackers to bypass common threat detection tools, which typically monitor only the main Windows operating system, not the virtual machines running within it.

Georgian authorities later seized one of the compromised servers used in the campaign, helping researchers map out the attackers’ infrastructure.

Active since at least 2024, Curly COMrades typically targets “critical organizations in countries facing geopolitical shifts,” and their operations align with the geopolitical goals of the Russian government, Bitdefender said. The group appears focused on maintaining persistent access to networks and stealing credentials for espionage operations.

The hackers rely heavily on publicly available and open-source tools, showing “a preference for stealth, flexibility and minimal detection rather than exploiting novel vulnerabilities,” researchers added.

Georgia and Moldova, both former Soviet republics, remain attractive targets for Russian cyber and information operations. Moldova recently accused Russia of attempting to interfere in its parliamentary elections, where a pro-European party won a majority, through cyberattacks and coordinated disinformation campaigns.

Georgia has also been a focus of Moscow’s hybrid tactics, which combine military pressure, economic restrictions and propaganda efforts aimed at weakening its state institutions and stalling democratic and economic reforms.