hacker group Archives

BetaBeacon

May 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

APT37, also known as ScarCruft and Ricochet Chollima, has developed an Android version of the backdoor BirdCall, which serves as spyware in addition to a backdoor. The malware was delivered through a Chinese website that hosts games for Android, iOS, and Windows, targeting only Android and Windows systems. The Android variant of BirdCall has capabilities such as extracting IP geolocation information, collecting contact lists, call logs, SMS data, device information, taking screenshots, recording audio, and exfiltrating files. Users are advised to download software only from official marketplaces and trusted publisher sites to protect against malware infections.

Tech Optimizer

November 5, 2025

Hackers Are Using Linux Malware to Invisibly Bypass Windows Security

Hackers are refining tactics to evade detection by EDR systems and antivirus software, with a notable strategy being the use of Linux malware to infiltrate Windows systems. Investigations by Bitdefender and CERT-GE revealed a campaign by the Russian hacker group Curly COMrades, which exploits the Hyper-V virtualization platform on Windows 10 to create covert access channels. They utilize Alpine Linux for lightweight virtual machines that are difficult to detect, requiring only 120 MB of disk space and 256 MB of RAM. The attackers maintain persistent access using tools like Resocks and Stunnel, starting their activities in early July 2024 by activating Hyper-V on compromised systems and deploying misleading virtual machines labeled “WSL.” They introduced custom malware, CurlyShell and CurlCat, for communication and remote access. This trend of using Linux malware against Windows systems is growing, as seen in recent Qilin ransomware attacks documented by Trend Micro.

Winsage

November 4, 2025

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades has been using Microsoft Hyper-V to bypass endpoint detection and response (EDR) solutions by creating a concealed Alpine Linux-based virtual machine for running malware. They have deployed proprietary tools, CurlyShell and CurlCat, within this virtual environment to maintain operational stealth and secure communication. Active since mid-2024, the group targets government and judicial entities in Georgia and energy companies in Moldova. In early July, they gained remote access to two machines, activated Hyper-V, and disabled its management interface to deploy a minimalistic virtual machine that hosted their malware. This tactic allowed them to evade traditional host-based EDR detections. The virtual machine was configured to use the Default Switch network adapter, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell executes commands and maintains persistence, while CurlCat facilitates covert traffic tunneling. The group also utilized PowerShell scripts for persistence and pivoting to remote systems, including injecting Kerberos tickets into LSASS and creating local accounts via Group Policy. Bitdefender advises organizations to monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts.