SSH Archives

Tech Optimizer

November 12, 2025

Hackers hijacked antivirus features to install malware – here’s what we know

A critical vulnerability identified as CVE-2025-12480 was found in the remote file sharing platform Triofox, characterized by improper access control that allowed zero-day exploitation. Security experts from Google’s Mandiant revealed that Triofox's antivirus feature was compromised, enabling unauthorized access to setup pages post-installation. The UNC6485 threat group exploited this vulnerability using tools like Zoho Assist, AnyDesk, and SSH tunneling for remote access. A patch was released on July 26, and a newer version of Triofox was made available on October 14 to mitigate the risks, with users advised to update their systems.

Winsage

November 11, 2025

“Windows doesn’t really suck” — ex‑Microsoft engineer calls for a ‘Pro Mode’ to cut the clutter

Microsoft discontinued support for Windows 10, pushing users to upgrade to Windows 11 or use the Extended Security Updates (ESU) program. Critics view the ESU as a temporary solution. Windows 11 is reported to be up to 2.3 times faster than Windows 10, but many users are hesitant to switch due to strict hardware requirements and design issues. Approximately 400 million Windows PCs are now unsupported, raising concerns about increased electronic waste. User dissatisfaction with Windows 11 includes issues with AI integration, the Start menu, mandatory Microsoft Account usage, default browser settings, inability to remove CoPilot, frequent ads, and resource-heavy background processes. Former Microsoft engineer Dave Plummer suggested a professional mode for advanced users, proposing features like centralized settings, a default Windows terminal, transparency in telemetry, a predictable update schedule, and a paid professional mode to reduce upselling. Plummer emphasized that current frustrations stem from the user experience being compromised by aggressive marketing tactics.

Tech Optimizer

November 11, 2025

Hackers Exploiting Triofox Flaw to Install Remote Access Tools via Antivirus Feature

A critical security vulnerability (CVE-2025-12480) has been identified in Gladinet's Triofox platform, allowing attackers to bypass authentication and access sensitive configuration pages. This vulnerability has a CVSS score of 9.1 and has been exploited by a threat cluster known as UNC6485 since August 24, 2025. Despite patches issued by Gladinet, attackers created a new admin account to execute malicious code, including a batch script that downloaded tools for remote access. They used these tools for reconnaissance and privilege escalation. Mandiant recommends that Triofox users update to the latest version and audit admin accounts.

Winsage

November 5, 2025

Russian APT abuses Windows Hyper-V for persistence and malware execution

Cyber attackers used the Import-VM and Start-VM PowerShell cmdlets to introduce a virtual machine named WSL into Hyper-V. This virtual machine hosts a compact Alpine Linux environment with two implants, CurlyShell and CurlCat, identified by Bitdefender. CurlyShell uses libcurl to connect to a command-and-control server, creating a reverse shell to execute commands and return outputs. CurlCat functions as a proxy, tunneling SSH traffic through HTTP requests to evade detection by network monitoring tools.

Tech Optimizer

November 5, 2025

Hackers Are Using Linux Malware to Invisibly Bypass Windows Security

Hackers are refining tactics to evade detection by EDR systems and antivirus software, with a notable strategy being the use of Linux malware to infiltrate Windows systems. Investigations by Bitdefender and CERT-GE revealed a campaign by the Russian hacker group Curly COMrades, which exploits the Hyper-V virtualization platform on Windows 10 to create covert access channels. They utilize Alpine Linux for lightweight virtual machines that are difficult to detect, requiring only 120 MB of disk space and 256 MB of RAM. The attackers maintain persistent access using tools like Resocks and Stunnel, starting their activities in early July 2024 by activating Hyper-V on compromised systems and deploying misleading virtual machines labeled “WSL.” They introduced custom malware, CurlyShell and CurlCat, for communication and remote access. This trend of using Linux malware against Windows systems is growing, as seen in recent Qilin ransomware attacks documented by Trend Micro.

Winsage

November 5, 2025

Curly COMrades abuse Hyper-V for covert malware operations in VMs

Bitdefender researchers have identified advanced techniques used by the Curly COMrades threat actor, believed to have Russian backing, to exploit Microsoft’s Hyper-V virtualization platform. This group activates Hyper-V on compromised systems to deploy a lightweight virtual machine (VM) running Alpine Linux, which hosts malware tools CurlyShell and CurlCat. The operation began in early July with commands that activated Hyper-V and prepared the environment for the VM, using deceptive file names to avoid detection. The Alpine Linux VM is customized for each victim, allowing the attackers to maintain a low profile while facilitating reverse shell and proxy activities. The VM routes traffic through the host's network, masking communications as originating from the legitimate host IP. CurlyShell acts as a persistent reverse shell, while CurlCat manages SSH traffic tunneling, utilizing a private key for authentication. The attackers also employ various proxy and tunneling tools and utilize PowerShell scripts for tasks such as injecting Kerberos tickets into LSASS for lateral movement and creating local accounts to ensure ongoing access. Their command and control infrastructure involves compromised servers that relay traffic between infected hosts and the attackers' servers, with measures taken to limit forensic evidence. To detect and mitigate these threats, Bitdefender emphasizes the need for host-based network inspection and hardening, as well as monitoring for abnormal access to the LSASS process and suspicious Kerberos ticket activities. The findings indicate a shift in threat actor tactics towards using virtualization for stealth and persistence, highlighting the need for layered security measures.

Winsage

November 4, 2025

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades has been using Microsoft Hyper-V to bypass endpoint detection and response (EDR) solutions by creating a concealed Alpine Linux-based virtual machine for running malware. They have deployed proprietary tools, CurlyShell and CurlCat, within this virtual environment to maintain operational stealth and secure communication. Active since mid-2024, the group targets government and judicial entities in Georgia and energy companies in Moldova. In early July, they gained remote access to two machines, activated Hyper-V, and disabled its management interface to deploy a minimalistic virtual machine that hosted their malware. This tactic allowed them to evade traditional host-based EDR detections. The virtual machine was configured to use the Default Switch network adapter, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell executes commands and maintains persistence, while CurlCat facilitates covert traffic tunneling. The group also utilized PowerShell scripts for persistence and pivoting to remote systems, including injecting Kerberos tickets into LSASS and creating local accounts via Group Policy. Bitdefender advises organizations to monitor for abnormal Hyper-V activation, LSASS access, and suspicious PowerShell scripts.

Winsage

November 4, 2025

Russian Hackers Abuse Hyper-V to Hide Malware and Evade Endpoint Detection

A Russian-linked hacking group, Curly COMrades, is using Microsoft’s Hyper-V to conceal malware within compromised Windows systems. They install a small Alpine Linux virtual machine (VM) to run custom malware, evading endpoint detection and response (EDR) software since July. The group exploits Hyper-V's native features, enabling it on victim systems while disabling management clients to avoid detection. The VM, named “WSL,” hosts two C++ tools: ‘CurlyShell,’ a reverse shell, and ‘CurlCat,’ a reverse proxy, both designed to maintain persistence and obfuscate their activities. The VM occupies only 120MB of disk space and uses Hyper-V’s Default Switch for network traffic, making malicious communication appear to originate from the legitimate host. Additionally, Curly COMrades employs malicious PowerShell scripts for persistence and lateral movement, including creating local user accounts and using a modified TicketInjector for authentication across networks.

Winsage

November 4, 2025

Russian spies pack custom malware into hidden VMs on Windows

Bitdefender's senior security researcher, Victor Vrabie, reported that the Russian cyber group Curly COMrades is using Microsoft's Hyper-V hypervisor to conduct sophisticated attacks on compromised Windows machines. They create a concealed Alpine Linux-based virtual machine (VM) that bypasses traditional endpoint security, allowing prolonged access for espionage and malware deployment. This VM is lightweight, requiring only 120MB of disk space and 256MB of memory, and hosts a reverse shell called CurlyShell and a reverse proxy named CurlCat. The group's operations have targeted judicial and governmental institutions in Georgia and an energy company in Moldova. Their current campaign, starting in July, involved activating Hyper-V and downloading the VM with custom malware. The VM uses the Default Switch network adaptor, making malicious traffic appear to originate from the legitimate host's IP address. CurlyShell maintains root-level persistence and communicates with a command-and-control server over HTTPS, while CurlCat manages an SSH reverse proxy tunnel disguised as standard HTTP traffic. Additionally, two PowerShell scripts linked to the group enable remote authentication and establish persistent access across domain-joined machines. Vrabie highlighted the evolving tactics of cybercriminals to bypass endpoint detection and response (EDR) systems, emphasizing the need for a multi-layered security strategy.

Winsage

November 4, 2025

Hackers Use Hyper-V to Deploy Linux Malware on Windows Systems

The Russian-aligned APT group Curly COMrades has been using hidden Alpine Linux virtual machines (VMs) on compromised Windows hosts via Microsoft Hyper-V to evade detection and maintain covert access. This technique was uncovered in mid-2025 through an investigation by Bitdefender and the Georgian CERT, which traced suspicious activities to a compromised Georgian website. The attackers activated Hyper-V on the infected machines, downloaded a disguised VM image, and named it “WSL.” The VM, operating on Alpine Linux, had a small disk footprint and low RAM usage, minimizing alerts from security systems. Within this environment, they deployed two malware implants: CurlyShell, a reverse shell for command execution, and CurlCat, a reverse proxy tool for SSH traffic. Both implants were designed to maintain a low forensic footprint. The attackers also used a PowerShell script to inject encrypted Kerberos tickets into LSASS for lateral movement and employed various tunneling tools for communication. Artifacts from their operations were stored in directories that blended with legitimate Windows files. Security teams are advised to audit Hyper-V usage, monitor for hidden VMs, and enable host-based network inspection.