A sophisticated threat actor known as Curly COMrades has been observed employing a novel evasion technique, weaponizing Microsoft's native Hyper-V virtualization platform to conceal malware and bypass advanced security defenses. This method allows the attackers to establish a hidden operational environment on compromised Windows systems, significantly complicating detection and response efforts by cybersecurity solutions.

Key Takeaways

• Hyper-V Abuse: Threat actors are enabling the Hyper-V role on victim machines to create a hidden Linux virtual machine.

• Stealthy Environment: A minimalistic Alpine Linux VM, disguised as "WSL," hosts custom malware, evading EDR detection.

• Custom Tooling: The VM runs bespoke tools like CurlyShell (reverse shell) and CurlCat (reverse proxy), designed for stealthy command execution and data exfiltration.

• Living Off the Land: The technique leverages legitimate Windows components, making it harder to distinguish malicious activity from normal system operations.

• Russian Alignment: Curly COMrades is assessed to be active since late 2023, with interests aligned with Russia, targeting regions like Georgia and Moldova.

Novel Evasion Through Virtualization

The "Curly COMrades" group has demonstrated a significant advancement in their operational tactics by integrating Microsoft's Hyper-V virtualization technology into their attack chains. Instead of relying on external tools that might trigger security alerts, the attackers first enable the Hyper-V role on compromised Windows 10 hosts. This is often followed by disabling specific management client features to further reduce the visibility of their actions.

Following the activation of Hyper-V, the attackers deploy a small, Alpine Linux-based virtual machine. This VM, with a minimal footprint of just 120MB of disk space and 256MB of memory, is deceptively named "WSL" to mimic the legitimate Windows Subsystem for Linux, further aiding its concealment.

The Hidden Arsenal: Custom Malware and Proxy Capabilities

Within this isolated Alpine Linux environment, Curly COMrades hosts its custom malware suite. Central to this operation are two C++-based tools: CurlyShell and CurlCat. CurlyShell functions as a persistent reverse shell, allowing attackers to execute encrypted commands remotely. CurlCat acts as a reverse proxy, funneling traffic through SSH and wrapping it in standard HTTP requests to blend in with legitimate network traffic. Both tools employ a non-standard Base64 alphabet for encoding, adding another layer of evasion.

The VM's network traffic is routed through the host's network stack via Hyper-V's Default Switch and Network Address Translation (NAT), making all malicious outbound communications appear to originate from the legitimate host machine's IP address. This effectively creates a blind spot for many standard security monitoring tools.

Persistence and Lateral Movement Beyond the VM

While the Hyper-V VM provides a stealthy operational base, Curly COMrades employs additional techniques to ensure persistence and facilitate lateral movement within the victim's network. This includes the use of sophisticated PowerShell scripts. One script, deployed via Group Policy, creates and repeatedly resets a local user account's password to maintain access. Another script, a customized version of the TicketInjector utility, is used for lateral movement by injecting Kerberos tickets into the LSASS process, enabling a "pass-the-ticket" attack for authentication to other systems without needing plaintext credentials.

These layered tactics highlight the group's operational maturity and their commitment to maintaining long-term access for cyber-espionage campaigns. The group was first documented by Bitdefender in August 2025, with activity traced back to late 2023, and has been linked to attacks targeting Georgia and Moldova.

Sources

• Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection, The Hacker News.

• Russian Hackers Abuse Hyper-V to Hide Malware and Evade Endpoint Detection, NewsBreak: Local News & Alerts.