Hidden Machines, Open Doors: How Curly COMrades Weaponize Hyper‑V to Evade Detection

Listen to this Post

Featured Image

Introduction

A stealthy shift in attacker tradecraft: instead of melting into the OS, some adversaries are now setting up tiny virtual machines on victims’ hosts — lightweight, purpose-built islands that hide malicious code behind a clean façade. The Curly COMrades campaign, recently analyzed by Bitdefender, shows how enabling Windows Hyper‑V and running an Alpine Linux VM can let attackers run bespoke malware with remarkable stealth and persistence. This article rewrites and expands the original report into a single, clearer narrative: a concise summary of the facts, then an evidence‑driven, human analysis that explains what this means for defenders, organizations, and incident responders.

Summary (original article, condensed)

Curly COMrades — a threat cluster linked by researchers to activity since late 2023 with suspected alignment to Russian interests — has been observed using virtualization on compromised Windows 10 hosts to evade endpoint defenses. Bitdefender’s technical analysis uncovered that attackers enabled the Hyper‑V role on selected victims and deployed a tiny Alpine Linux virtual machine (about 120 MB disk and 256 MB RAM) as a hidden execution layer. Inside that VM the adversary ran two bespoke tools: CurlyShell, an ELF reverse‑shell written in C++ that runs headless as a daemon and polls a C2 using HTTP GET/POST for commands and results; and CurlCat, a reverse proxy tool that funnels traffic (often through SSH) to enable bidirectional transfer. These custom tools were used alongside an arsenal of other utilities observed across the cluster — RuRat for persistence, Mimikatz for credential harvesting, and a modular .NET implant MucorAgent with roots stretching back to late 2023. Earlier reporting from August 2025 by the same vendor linked Curly COMrades to targeted strikes in Georgia and Moldova; in follow‑up collaboration with Georgia CERT, more tooling and a clear pattern of maintaining long‑term remote access via VM‑based environments were documented. The attackers mixed tried‑and‑true proxy/tunneling tools — Resocks, Rsockstun, Ligolo‑ng, CCProxy, Stunnel, SSH methods — with PowerShell scripts for remote command execution. By isolating key malware within a VM, Curly COMrades effectively bypassed many host‑based EDR and detection mechanisms, since the malicious execution looked like activity inside a legitimate virtual environment rather than suspicious processes on the Windows host. Researchers emphasize the actor’s repeated focus on reverse proxy capability and modular tool updates to retain flexible control over compromised networks.

What Undercode Say:

Curly COMrades’ choice to weaponize Hyper‑V represents a tactical escalation that blends cleverness with pragmatism. There are three layers to why this is significant — stealth, resilience, and operational economics — and each has direct implications for defenders.

First, stealth. Traditional endpoint detection relies heavily on hooks into the host OS: process scanning, hooking APIs, behavioral telemetry, and user‑mode monitoring. A minimal Linux VM that runs entirely within Hyper‑V offers a separate userland, separate set of processes, and often separate networking behavior that can look normal or benign to Windows EDR products. The VM’s footprint — just a lightweight Alpine image and small binaries — reduces the attack surface that defenders expect to see. Because the attacker’s command‑and‑control logic executes inside the guest, typical host‑side indicators (strange processes, suspicious DLL loads, unusual parent‑child chains) may not appear on the host at all. Instead defenders may only see the Hyper‑V service and a small set of legitimate Windows components running, or perhaps only a sudden increase in virtualization‑related I/O. This misdirection increases the window for lateral movement, data staging, and long‑term persistence.

Second, resilience. Virtualization gives attackers a self‑contained sandbox they can snapshot, modify, or replace without touching the host again. If defenders detect an artifact on the host and remove it, the attacker can re‑provision the VM or re‑enable Hyper‑V and be right back inside. The use of a reverse proxy (CurlCat) and modular implants (MucorAgent, CurlyShell) compounds this — even if one component is discovered, the proxying architecture enables operators to shift C2 servers or pivot channels quickly. Attackers invested in such infrastructure can treat each compromised host as a disposable gateway to a resilient, distributed network of proxies and backdoors.

Third, operational economics. Using a tiny VM reduces complexity for the attacker: they can standardize a small Alpine image, embed their tools, and deploy the same artifact across many victims. That lowers development and operational overhead while maximizing reach. It’s also platform‑agnostic: a Linux guest can run code written in C++, Go, or Python without relying on Windows internals, extending the attacker’s toolkit beyond Windows‑centric malware like Mimikatz. We’re seeing a hybrid approach — use Windows for initial compromise and persistence, then migrate the heavy lifting into a hidden Linux runtime that the attacker controls fully.

From a detection and mitigation viewpoint, this pattern breaks some of the fundamental assumptions many defenders make. Rather than only looking for suspicious Windows processes, defenders must expand monitoring to include virtualization events and anomalous Hyper‑V configuration changes. Key telemetry that should be elevated includes: enabling/disabling of virtualization roles, creation of new VMs on endpoints that don’t normally host them, unusual network endpoints associated with Hyper‑V virtual switches, and unexpected file drops consistent with small Linux images. Endpoint agents should track changes to the Windows feature set (e.g., enabling Hyper‑V role or associated services) and correlate those with user actions and administrative activity. Many enterprise environments treat Hyper‑V as a datacenter capability, not a desktop one — seeing it enabled on a typical workstation should raise immediate suspicion.

Defenders should also consider network‑level profiling: small, periodic HTTP GET polling from a guest OS to a C2 is a signature pattern. Monitoring for frequent, low‑volume GETs from unexpected internal IPs, or POSTs that carry encoded results, can be effective. Likewise, proxying behavior — sudden increases in outbound SSH or tunneled traffic originating from hosts that previously never initiated such sessions — must be flagged. For organizations with microsegmentation or strict egress policies, even modest deviations from allowed patterns can be disruptive for attackers and act as tripwires.

Operational playbooks must be updated. If a host is suspected of harboring a hidden VM, responders should isolate at the network level and capture the VM image for forensic analysis instead of wiping the host immediately. Live response that simply kills a Windows process may be insufficient; the VM can be restarted or reattached. Incident response should include steps to freeze the virtual instance, collect memory or disk images of both host and guest, and check for persistence mechanisms at both layers (Windows registry/services and VM provisioning scripts). For prevention, organizations should enforce least‑privilege controls on Hyper‑V features: restrict which accounts can enable Hyper‑V, monitor policy changes, and block Hyper‑V on classes of endpoints that do not require it.

Finally, intelligence and governance matter. Attribution to actors with national alignment underlines the strategic intent: this is more than crimeware — it’s a capability tailored for targeted access and long dwell. Organizations operating in sensitive sectors or in regions of geopolitical tension should assume heightened risk and prioritize proactive hunting for these virtualization techniques. Detection engineering, threat intelligence enrichment, and cross‑organization information sharing (e.g., with CERTs or ISACs) will reduce the time to detect and respond across the community.

Fact Checker Results

✅ Curly COMrades have been observed using Hyper‑V and tiny Alpine Linux VMs to run custom tools (CurlyShell, CurlCat) as described.
✅ The VM approach can bypass host‑based EDR signals by isolating execution from Windows processes.
❌ There’s no public evidence here that this technique is universally effective against all advanced detection tools — some network and hypervisor‑level telemetry can still expose it.

Prediction

💡 Expect attackers to adopt VM‑based execution as a more common persistence and evasion pattern over the next 12–24 months, especially in targeted campaigns against high‑value networks.
🔮 Defenders will respond by shifting telemetry and detection up the stack — from process‑centric to hypervisor and network‑centric signals — and by hardening virtualization governance and monitoring.
📈 Organizations that fail to monitor Hyper‑V activity and unusual VM creation will face longer dwell times and higher risk of data exfiltration; conversely, those that adapt will turn VM usage into an early warning signal.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon