Winsage
November 5, 2025
Cyber attackers used the Import-VM and Start-VM PowerShell cmdlets to introduce a virtual machine named WSL into Hyper-V. This virtual machine hosts a compact Alpine Linux environment with two implants, CurlyShell and CurlCat, identified by Bitdefender. CurlyShell uses libcurl to connect to a command-and-control server, creating a reverse shell to execute commands and return outputs. CurlCat functions as a proxy, tunneling SSH traffic through HTTP requests to evade detection by network monitoring tools.