A Russian-linked hacking group, Curly COMrades, has taken a significant step in cyber-espionage by weaponizing Microsoft’s Hyper-V to conceal malware within compromised Windows systems. This innovative method, reported by cybersecurity firm Bitdefender on November 4, involves the installation of a small Alpine Linux virtual machine (VM), which serves as a covert operational base for the attackers. By utilizing this VM to run custom malware, the group successfully evades endpoint detection and response (EDR) software, ensuring persistent and low-visibility access to their targets since July. The investigation received support from Georgia’s national CERT, highlighting the sophisticated and global nature of this emerging threat.
Hiding in Plain Sight: Abusing Native Hyper-V for Stealth
In a striking display of ingenuity, the hackers are exploiting a native feature of Windows against itself. Initially identified by Bitdefender in August 2025 for its use of COM hijacking, the group has now pivoted to leveraging Hyper-V, Microsoft’s built-in virtualization platform. Rather than deploying external tools that could trigger security alerts, the attackers are using legitimate system components already present on the target machine, embodying a classic “living-off-the-land” strategy.
Forensic analysis has revealed a multi-stage deployment process. The attackers begin by executing dism commands to enable the Hyper-V role while simultaneously disabling the microsoft-hyper-v-Management-clients feature, making it more challenging for administrators to detect their activities. Once Hyper-V is activated, a series of commands involving curl downloads the VM archive, followed by the use of PowerShell cmdlets like Import-VM and Start-VM to launch it. To further obfuscate their actions, the VM is cleverly named “WSL,” mimicking the legitimate Windows Subsystem for Linux.
An Isolated Arsenal: The Alpine Linux VM and Custom Malware
By weaponizing Hyper-V, the threat actors create a blind spot for many standard security tools. Central to this strategy is a minimalistic virtual machine based on Alpine Linux, a distribution renowned for its small size. This choice is intentional; the hidden environment occupies only 120MB of disk space and requires 256MB of memory, ensuring minimal impact on the host system. Within this isolated environment, the group operates a custom malware suite.
“The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine.” This base hosts two critical C++ tools: ‘CurlyShell,’ a reverse shell, and ‘CurlCat,’ a reverse proxy. CurlyShell maintains persistence within the VM through a simple root-level cron job, while CurlCat is configured as a ProxyCommand in the SSH client, encapsulating all outgoing SSH traffic within standard HTTP requests to blend in seamlessly. Both implants utilize a non-standard Base64 alphabet for encoding, further complicating detection efforts. Additionally, the VM employs Hyper-V’s Default Switch, routing its traffic through the host’s network stack via Network Address Translation (NAT). As Bitdefender notes, “In effect, all malicious outbound communication appears to originate from the legitimate host machine’s IP address.” Such evasion tactics are increasingly prevalent among cyber adversaries.
Beyond the VM: Persistence and Lateral Movement with PowerShell
While the Hyper-V VM provides a stealthy foundation, Curly COMrades employs additional tools to ensure persistence and facilitate lateral movement within networks. Investigators have uncovered several malicious PowerShell scripts designed to solidify their foothold, showcasing a layered approach to maintaining access. One script, deployed via Group Policy, creates a local user account on domain-joined machines and repeatedly resets the account’s password, ensuring the attackers retain access even if an administrator intervenes.
Another sophisticated PowerShell script, a customized version of the public TicketInjector utility, is utilized for lateral movement. This script injects a Kerberos ticket into the Local Security Authority Subsystem Service (LSASS) process, allowing authentication to other remote systems without requiring plaintext passwords. This “pass-the-ticket” technique enables the attackers to execute commands, exfiltrate data, or deploy additional malware across the environment. The multi-faceted approach underscores the group’s operational maturity, a characteristic often associated with state-sponsored threat actors.
