Russian-linked group abuses Hyper-V to hide malware in Linux VM

A Russia-aligned hacking group known as ‘Curly COMrades’ has been using Microsoft’s Hyper-V virtualization in Windows to hide malware inside Alpine Linux virtual machines, allowing the threat actors to bypass host-based endpoint detection and response (EDR) controls, according to research conducted by cybersecurity firm Bitdefender and the Georgian CERT.

The attackers deployed two custom tools: a reverse shell for remote command execution called ‘CurlyShell,’ and CurlCat, a reverse proxy used for covert communication.

“The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat,” the researchers said.

The group, believed to have been active since mid-2024, is aligned with Russian geopolitical interests and has previously targeted government and judicial bodies in Georgia as well as energy companies in Moldova.

According to the researchers, Curly COMrades gained remote access to victim machines and enabled Hyper-V before disabling its management interface to conceal the virtual environment.

To further hide their tracks, the attackers named the virtual machine “WSL”, mimicking the Windows Subsystem for Linux, and routed all malicious traffic through the host’s legitimate network connection. This made the outbound communication appear as if it originated from the infected system’s own IP address.

The group also relied on PowerShell scripts for persistence and lateral movement. One of the scripts injected Kerberos tickets to authenticate on remote systems, while another created local accounts across domain machines via Group Policy.

“The threat actor demonstrated a clear determination to maintain a reverse proxy capability, repeatedly introducing new tooling into the environment. Artifacts identified included a wide array of proxy and tunneling samples, such as Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods,” the report noted.


Back to the list

Latest Posts

Major crypto exchanges fail to curb illicit money flow despite supervision

Investigators collected hundreds of crypto wallet addresses linked to North Korean cybercrime groups, Russian money launderers and large-scale scam operations.
18 November 2025

New EVALUSION campaign uses ClickFix tactics to deliver Amatera Stealer and NetSupport RAT

The campaign attempts to trick users into running malicious commands via the Windows Run dialog under the guise of completing a reCAPTCHA verification.
18 November 2025

Google releases emergency patch actively exploited Chrome zero-day

Tracked as CVE-2025-13223, the flaw stems from a type-confusion issue within Chrome’s V8 JavaScript engine.
18 November 2025
Popular Posts
Featured vulnerabilities
Insufficient protection against XSS attacks in Kaspersky Endpoint Security for Linux and Mac
Low Patched | 18 Nov, 2025
Multiple vulnerabilities in Dell ControlVault3 and ControlVault3 Plus
Low Patched | 18 Nov, 2025
Cross-site scripting in Kirby
Low Patched | 18 Nov, 2025
Multiple vulnerabilities in D-Link DIR-878
High Not Patched | 18 Nov, 2025
Improper input validation in IBM Sterling Transformation Extender
High Patched | 18 Nov, 2025