A Russian-linked hacker group known as Curly COMrades has found a new way to hide its malware inside Windows systems by abusing Microsoft’s Hyper-V virtualization technology.
The group uses a secret Alpine Linux-based virtual machine to run malicious tools without being detected by standard security software.
Researchers at Bitdefender discovered that the hackers set up a hidden virtual machine to host two of their custom tools: CurlyShell, a reverse shell used for remote command execution, and CurlCat, a reverse proxy that enables covert communication. This setup allowed them to operate stealthily, bypassing endpoint detection and response (EDR) systems.
Curly COMrades has been active since mid-2024 and is believed to align with Russian geopolitical interests. The group has previously targeted government and judicial organizations in Georgia and energy firms in Moldova. In its latest campaign, Bitdefender, with help from Georgia’s national computer emergency response team, uncovered how the attackers exploited Hyper-V to maintain long-term access.
The hackers first gained remote access to two victim machines and then enabled Hyper-V while disabling its management interface to conceal their activity. Hyper-V, a virtualization feature included in Windows Pro, Enterprise, and Server editions, allows users to run virtual machines that behave like separate computers.
Bitdefender’s report explains that Curly COMrades deployed a minimal Alpine Linux virtual machine that required just 120MB of disk space and 256MB of memory. Inside this lightweight environment, they ran their hidden malware. Because the malicious activity occurred entirely within the virtual machine, traditional EDR systems could not detect it, as their visibility typically does not extend into isolated virtual environments.
To make the setup less suspicious, the attackers named the virtual machine “WSL,” mimicking Windows Subsystem for Linux, a legitimate Windows feature. They also configured the virtual machine to use the system’s default network switch, allowing all its traffic to appear as though it came from the host computer’s IP address.
The two malware tools used inside the virtual machine were based on libcurl, a widely used networking library. CurlyShell ran persistently through a cron job, connected securely over HTTPS, and allowed attackers to execute commands remotely. CurlCat acted as a tunneling tool that could wrap SSH traffic in HTTPS requests, making it almost impossible to distinguish from normal web traffic.
Bitdefender also found that the hackers used PowerShell scripts to maintain persistence and move laterally across networks. One script injected Kerberos tickets into the Windows LSASS process, enabling remote authentication. Another was pushed through Windows Group Policy to create local accounts on multiple machines within the same network, helping the attackers expand their control.
The researchers noted that the operation showed a high level of sophistication and careful planning. The hackers encrypted their payloads, used PowerShell for stealthy execution, and left minimal forensic evidence. This makes detection and investigation significantly harder for defenders.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Bitdefender recommends that organizations monitor for unusual Hyper-V activation, unauthorized LSASS access, or suspicious PowerShell scripts that create or reset local accounts through Group Policy. Unexplained virtualization activity, especially when new virtual machines appear unexpectedly, could be an early warning sign of this type of attack.
