Russian Hackers Exploit Hyper-V to Conceal Malware in Linux VMs

A cyber-espionage group known as Curly COMrades has been identified for leveraging Microsoft Hyper-V within Windows systems to elude endpoint detection and response solutions. Their tactic involves creating a covert Alpine Linux-based virtual machine to execute malicious activities undetected.

Within this virtual environment, the threat actors deployed their proprietary tools, namely the CurlyShell reverse shell and the CurlCat reverse proxy, facilitating surreptitious operations and communication.

Curly COMrades, believed to have been active since mid-2024, is closely associated with Russian geopolitical interests.

Previous investigations by Bitdefender have exposed Curly COMrades’ operations targeting government and judicial entities in Georgia, as well as energy companies in Moldova.

In collaboration with the Georgian CERT, the Romanian cybersecurity firm uncovered further details about the group’s recent activities.

Researchers discovered that in early July, the threat actors gained remote access to two machines, enabling Hyper-V and disabling its management interface.

Hyper-V, an integral part of Microsoft’s technology stack, offers hardware virtualization capabilities in Windows and Windows Server operating systems, allowing users to run virtual machines.

By activating the Hyper-V role on selected systems, the hackers deployed a minimalist Alpine Linux-based virtual machine. This hidden environment hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat.

Operating within a virtual machine allowed the hackers to circumvent traditional host-based EDR detections, which lacked network inspection capabilities to identify command and control traffic.

Although the use of virtualization for evasion is not novel, the fragmented security tool coverage makes it a potent strategy in networks with inadequate protection layers.

In their attacks, Curly COMrades utilized the name ‘WSL’ for the VM, referencing the Windows Subsystem for Linux, to avoid detection.

The Alpine Linux VM configured in Hyper-V used the Default Switch network adapter, directing all traffic through the host’s network stack.

The two custom implants deployed in the VM, CurlyShell and CurlCat, are ELF binaries based on libcurl, facilitating command execution and traffic tunneling.

During the investigation, researchers also uncovered the group’s use of two PowerShell scripts for persistence and remote system access.

These sophisticated attacks by Curly COMrades emphasize stealth and operational security, with encrypted payloads and PowerShell abuse minimizing forensic traces.

Based on their findings, Bitdefender recommends organizations monitor for abnormal Hyper-V activation, LSASS access, or PowerShell scripts deployed via Group Policy.