The Russian hacker group Curly COMrades has been leveraging Microsoft Hyper-V within Windows to circumvent endpoint detection and response (EDR) solutions. This is achieved through the establishment of a concealed Alpine Linux-based virtual machine designed specifically for running malware.
Operational Stealth and Custom Tools
Within this virtual environment, the group has deployed its proprietary tools: the CurlyShell reverse shell and the CurlCat reverse proxy. These tools facilitate operational stealth and enable secure communication channels.
Curly COMrades, a cyber-espionage group believed to have been active since mid-2024, aligns its activities closely with Russian geopolitical interests. Previous investigations by Bitdefender have highlighted the group’s targeting of government and judicial entities in Georgia, as well as energy companies in Moldova.
In collaboration with the Georgian Computer Emergency Response Team (CERT), Bitdefender has uncovered further details regarding the group’s latest operations. The research indicates that in early July, after gaining remote access to two machines, Curly COMrades executed commands to activate Hyper-V and disable its management interface.
Microsoft’s Hyper-V technology, which is integrated into Windows (Pro and Enterprise) and Windows Server operating systems, provides hardware virtualization capabilities that allow users to run virtual machines (VMs). According to Bitdefender, “The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat.”
Source: Bitdefender
By confining the malware and its execution within a virtual machine, the hackers successfully bypassed traditional host-based EDR detections, which often lack the network inspection capabilities necessary to identify command and control (C2) traffic originating from the VM.
While the tactic of using virtualization to evade detection is not novel, the fragmented landscape of security tools makes it a particularly effective strategy in environments lacking comprehensive, multi-layered protection. In this instance, the attackers cleverly named the VM ‘WSL,’ referencing the Windows Subsystem for Linux feature in hopes of remaining undetected.
The Alpine Linux VM was configured in Hyper-V to utilize the Default Switch network adapter, allowing all traffic to flow through the host’s network stack. As Bitdefender researchers explain, “In effect, all malicious outbound communication appears to originate from the legitimate host machine’s IP address.”
The two custom implants deployed within the VM are ELF binaries based on libcurl, serving distinct purposes for command execution and traffic tunneling:
- CurlyShell – Executes commands within the hidden Alpine VM and maintains persistence via a cron job. It operates in headless mode and connects to the command-and-control (C2) over HTTPS.
- CurlCat – A companion tool utilized for tunneling, invoked by the shell implant to establish a covert SOCKS proxy back to the operator. It encapsulates SSH traffic within HTTPS requests, facilitating network pivoting while blending seamlessly with normal operational noise.
Source: Bitdefender
During their investigation, researchers also identified that Curly COMrades employed two PowerShell scripts for persistence and for pivoting to remote systems. One script was crafted to inject a Kerberos ticket into LSASS, enabling authentication to remote systems and command execution. The second script was deployed through the Group Policy feature, creating a local account across machines within the same domain.
The sophistication exhibited in the Curly COMrades attacks underscores a focus on stealth and operational security. The hackers encrypted embedded payloads and exploited PowerShell capabilities, resulting in minimal forensic traces on the compromised hosts.
In light of these findings, Bitdefender recommends that organizations remain vigilant for signs of abnormal Hyper-V activation, LSASS access, or PowerShell scripts deployed via Group Policy that may trigger local account password resets or the creation of new accounts.
