The Russian-aligned APT group known as Curly COMrades has recently been observed employing a sophisticated technique involving hidden Alpine Linux virtual machines (VMs) on compromised Windows hosts through Microsoft Hyper-V. This method allows the attackers to effectively isolate their malware from conventional host-based detection tools, thereby ensuring long-term covert access to the affected systems.
This operation came to light in mid-2025, thanks to a collaborative investigation conducted by Bitdefender and the Georgian CERT. The inquiry traced suspicious activities back to a compromised Georgian website, which was also functioning as a proxy controlled by the attackers. A thorough forensic analysis unveiled a previously undocumented strategy that leverages native Windows virtualization to execute stealthy Linux-based malware, successfully evading traditional endpoint defenses.
Hyper-V as a launchpad for Linux malware
Once the attackers gained access to Windows machines, they remotely activated the Hyper-V role while disabling its management interface to minimize detection. They proceeded to download a compressed virtual machine image disguised as a video file, extracting it with WinRAR before importing it into Hyper-V using PowerShell. The VM was cleverly named “WSL,” referencing the Windows Subsystem for Linux, yet it functioned as a standalone Linux environment.
Operating on Alpine Linux, this virtual machine was designed to be both compact, with a disk footprint of only 120MB, and resource-efficient, utilizing just 256MB of RAM. Such specifications made it unlikely to trigger alerts from host-based security systems. By utilizing Hyper-V’s Default Switch networking, all outbound traffic from the VM appeared to originate from the Windows host’s IP address, further obscuring any malicious activity.
Within this concealed Linux environment, the attackers deployed two custom malware implants:
- CurlyShell: A persistent reverse shell written in C++, responsible for executing commands. It maintains persistence through a root-level cron job and communicates with command and control (C2) servers over HTTPS, obfuscating its traffic using a non-standard Base64 encoding scheme.
- CurlCat: A stealth reverse proxy tool that encapsulates SSH traffic within HTTP requests. Launched on-demand via CurlyShell, it facilitates tunneled communication over SOCKS proxies, authenticating to remote servers with hardcoded RSA keys.
Both implants are compiled as ELF binaries and share a common codebase centered around the libcurl library, allowing for long-term operation with a minimal forensic footprint.
Bitdefender
Beyond the VM, the attackers employed a versatile arsenal to maintain access and navigate through victim networks. On the compromised Windows hosts, they utilized a PowerShell script (kb_upd.ps1) to inject encrypted Kerberos tickets into LSASS, enabling remote command execution and lateral movement via SMB. Persistence was further ensured through another GPO-distributed script that created or reset local accounts with hardcoded credentials. To maintain reliable communication, they also deployed tunneling tools such as Ligolo-ng, Resocks, Stunnel, and CCProxy, alongside CurlCat, reflecting a layered and adaptable approach to remote access.
Artifacts from these operations were often stored in directories like C:Windowsps1 or C:ProgramData, effectively blending into legitimate Windows system files.
In light of these developments, security teams are advised to audit Hyper-V usage across endpoints and disable the role where it is not necessary. Monitoring for hidden VMs and unexpected imports through PowerShell and WMI activity is also recommended, along with enabling host-based network inspection, particularly on systems with virtualization capabilities enabled.
If you found this article insightful, consider following us on X/Twitter and LinkedIn for more exclusive content.
