CurlCat
CurlCat is a custom ELF malware implant used by the Curly COMrades espionage cluster, which Bitdefender assesses as aligned with Russian geopolitical interests. It is a libcurl-based companion implant to CurlyShell and is primarily used for traffic tunneling rather than command execution. Multiple reports describe it as a netcat-like reverse proxy or relay that facilitates bidirectional data transfer between STDIN/STDOUT and a command-and-control server over HTTPS, and as a payload used to manage SSH reverse proxy tunnels.
In the observed tradecraft, CurlCat was deployed inside a lightweight Alpine Linux virtual machine imported onto compromised Windows 10 systems through abuse of Microsoft Hyper-V. The VM used Hyper-V Default Switch/NAT so outbound traffic appeared to originate from the victim host IP, helping evade host-based EDR visibility. CurlCat was located at /root/updater in the VM, had MD5 1a6803d9a2110f86bb26fcfda3606302, and did not maintain persistence itself; instead, it was launched on demand via the CurlyShell channel. The malware wrapped outgoing SSH traffic into standard HTTP request payloads, allowing covert tunneling through compromised legitimate websites used as relays/proxies. Investigators also noted that the sample was configured to disable TLS certificate verification, enabling arbitrary certificates on relay servers.
CurlCat and CurlyShell share a largely identical C++ code base built around libcurl, but differ in handling received data: CurlyShell executes commands directly, while CurlCat funnels traffic through SSH. The malware used a custom Base64 substitution alphabet/non-standard Base64 encoding for evasion. Reporting links CurlCat to operations targeting judicial and government entities in Georgia and an energy distribution company in Moldova, and more broadly to post-compromise host-based tradecraft associated with Curly COMrades.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The two custom implants deployed in the VM are ELF binaries based on libcurl and are used for command execution and traffic tunneling: CurlyShell … CurlCat – Companion tool used when tunneling is needed…
Bitdefender’s reporting : Post-compromise host-based tradecraft (Hyper-V abuse for EDR evasion, custom implants CurlyShell/CurlCat)
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom implant referenced alongside CurlyShell in Bitdefender reporting as part of post-compromise persistence and evasion tradecraft within the broader GRU-linked campaign.
Custom tool used by Russian threat actors for persistence and evasion, executed within Hyper-V VMs to bypass host-based security controls.
CurlCat is a custom tool used for bidirectional data transfer and reverse proxying, funneling traffic through SSH. It shares much of its code base with CurlyShell but is focused on proxying rather than direct command execution.
CurlCat is a payload used to manage SSH reverse proxy tunnels, facilitating covert remote access and command and control within compromised environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.