Curly COMrades exploit virtualisation to evade EDR detection

In a new report from Bitdefender, the threat actor known as Curly COMrades has been observed using virtualization to bypass security tools and deploy custom malware. By enabling Hyper-V on compromised Windows 10 systems, the group launched a lightweight Alpine Linux virtual machine to host CurlyShell and CurlCat—tools designed for reverse shell access and proxying. Active since late 2023 and aligned with Russian interests, Curly COMrades has targeted Georgia and Moldova, using advanced techniques to maintain persistent access.

Their toolkit includes RuRat, Mimikatz, and MucorAgent, with malware isolated in virtual environments to evade endpoint detection. Communication with command-and-control servers is encrypted via HTTP requests, and the group has shown adaptability by repeatedly introducing new tools. Bitdefender’s collaboration with Georgia CERT revealed further infrastructure and long-term access strategies, highlighting the growing sophistication of virtualization-based cyber threats.

Sweden’s privacy watchdog investigates Miljödata breach affecting 1.5 million citizens

The Swedish Authority for Privacy Protection (IMY) has launched an investigation into a cyberattack on IT systems supplier Miljödata, which exposed the personal data of up to 1.5 million people. Miljödata provides services to around 80% of Sweden’s municipalities and confirmed in August that attackers had stolen data and demanded a ransom of 1.5 Bitcoin to avoid its release.

The breach disrupted operations across several regions, including Halland, Gotland, and Karlstad. IMY confirmed that sensitive personal information was later published on the dark web, prompting an investigation into potential GDPR violations. The inquiry will focus on Miljödata’s security practices and how municipalities handled citizens’ data, particularly children’s and protected identities.

The Datacarry group has since claimed responsibility, leaking a 224MB archive online. Have I Been Pwned has added the data, identifying records for around 870,000 individuals.

M&S profits collapse after April cyber attack causes £100m in losses

Marks & Spencer’s (M&S) pre-tax profits plunged from £391.9m to just £3.4m in the six months to 27 September, following the severe cyber attack that crippled its systems in April 2025. The retailer’s website closure and supply chain disruptions hit total sales, while food halls suffered from markdowns and stock wastage caused by manual allocation.

M&S reported £101.6m in direct costs from the incident, including £82.7m in response and recovery, and £18.9m in third-party expenses, partly offset by £100m in cyber insurance. CEO Stuart Machin praised the company’s resilience and reaffirmed its focus on recovery and customer service.

The incident underscores how even well-established businesses remain vulnerable as cyber threats grow in scale and sophistication. It also highlights that while cyber insurance can help ease the financial burden, it rarely covers the full cost of an attack. Ultimately, strong prevention and preparedness remain the best defence.

Google uncovers surge in AI-powered malware using LLMs for dynamic evasion

Google’s Threat Intelligence Group has identified a sharp rise in malware that integrates large language models (LLMs) to adapt during execution, marking a major shift in cyber threat tactics. This new “just-in-time” self-modification technique allows malicious code to alter itself mid-run, making detection far harder.

Examples include PromptFlux, an experimental VBScript dropper that queried Google’s Gemini model for fresh obfuscation code, and PromptSteal, a data miner used in Ukraine. Google has since blocked Gemini access linked to these operations. Other discoveries include FruitShell, a PowerShell reverse shell; QuietVault, a JavaScript credential stealer targeting GitHub tokens; and PromptLock, a cross-platform Lua-based ransomware.

Beyond malware, state-backed actors from China, Iran, and North Korea have abused AI tools to aid phishing, exploit research, and data theft. Underground forums are also marketing AI-based cybercrime tools, signalling a rapid evolution toward automated, adaptive threat ecosystems.

Italy hit by over 10% of global cyber attacks in early 2025, driven by surge in hacktivism

Italy accounted for 10.2% of all cyber attacks worldwide in the first half of 2025, rising from 9.9% in the same period last year, according to a new report from the Italian Association for Information Security (Clusit). The figure marks a sharp increase from 2021, when Italy represented just 3.4% of global incidents.

Clusit’s analysis highlights a dramatic 600% year-on-year surge in attacks targeting government and military sectors, which now make up 38% of the national total. The majority of these incidents were attributed to politically or socially motivated hacktivism, believed to involve actors “probably coordinated by Russian governmental structures.”

Hacktivism accounted for 54% of cyber incidents in Italy, overtaking financially motivated cybercrime for the first time. Traditional attacks aimed at data theft or monetary gain represented the remaining 46%, reflecting a notable shift in the country’s threat landscape.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.