Listen to this Post

A new wave of cyber-espionage has emerged, and at its core is the Russian hacker group known as Curly COMrades. Experts reveal that the group has been exploiting Microsoft Hyper-V virtualization in Windows systems to bypass traditional security measures, creating hidden Alpine Linux-based virtual machines (VMs) to run malware undetected. This sophisticated technique allows the hackers to maintain stealth while infiltrating government, judicial, and energy sector networks, primarily in Eastern Europe.
The operation works by deploying lightweight VMs that house custom tools, including the CurlyShell reverse shell and the CurlCat reverse proxy. These implants enable covert command execution and network tunneling, effectively hiding malicious activity behind legitimate system traffic. Active since mid-2024, Curly COMrades has been linked to attacks on Georgian governmental bodies and Moldovan energy firms, highlighting a pattern consistent with Russian geopolitical interests.
In a recent investigation, Romanian cybersecurity firms, in collaboration with the Georgian CERT, discovered that the hackers gained remote access to machines in early July. Once inside, the attackers enabled Hyper-V on targeted systems while disabling its management interface, creating a stealthy virtual environment under the guise of the Windows Subsystem for Linux (WSL). This Alpine Linux VM, requiring only 120MB of disk space and 256MB of memory, became the operational hub for malware execution.
By confining their malicious operations inside a VM, the hackers circumvented endpoint detection and response (EDR) tools, which often lack the ability to monitor network traffic originating from virtual machines. Hyper-V’s Default Switch network adapter was used to route all VM traffic through the host system, making it appear as legitimate network activity. This level of disguise complicates detection and allows the attackers to maintain persistence with minimal forensic evidence.
CurlyShell executes commands in headless mode and connects to command-and-control (C2) servers via HTTPS, while CurlCat functions as a covert SOCKS proxy, encapsulating SSH traffic in HTTPS requests to blend with normal network operations. The group also leveraged PowerShell scripts for further persistence and lateral movement, including injecting Kerberos tickets into LSASS for authentication and deploying accounts via Group Policy to extend access across domains.
The attackers’ sophisticated use of encryption, virtualization, and system-level exploitation highlights an advanced approach to operational security. Bitdefender researchers caution organizations to monitor for unusual Hyper-V activations, LSASS access, or PowerShell scripts that create or modify domain accounts. The fragmented coverage of security tools makes networks particularly vulnerable to such attacks if holistic, multi-layered defenses are not in place.
What Undercode Say: Advanced Operational Stealth Through Hyper-V
Curly COMrades’ approach demonstrates a remarkable understanding of Windows internals and modern enterprise network behavior. By leveraging Hyper-V, they isolate their malware from the host environment, reducing visibility to EDR solutions and forensic monitoring. This technique is particularly insidious because it combines three factors: minimal VM footprint, disguised network traffic, and multi-stage malware deployment.
The use of Alpine Linux in this context is strategic: its lightweight nature reduces system resource consumption, making detection less likely. Naming the VM “WSL” is a subtle social engineering tactic, exploiting a commonly trusted Windows feature to avoid scrutiny. This demonstrates not only technical sophistication but also psychological insight into system monitoring practices.
CurlyShell and CurlCat are tailored for operational stealth. CurlyShell’s headless execution ensures minimal disruption to the host system, while CurlCat’s encrypted tunneling allows the attackers to move laterally across networks without triggering conventional intrusion detection alerts. Coupled with PowerShell scripts manipulating LSASS and Group Policy, the hackers create a persistent presence that is extremely difficult to eradicate.
The attacks also reveal systemic vulnerabilities in enterprise security setups. Many organizations rely heavily on host-based detection without fully monitoring hypervisor-level activity. Hyper-V, when enabled unnoticed, becomes a backdoor capable of circumventing endpoint protection. This underscores the need for layered defense strategies that integrate virtualization monitoring, network anomaly detection, and behavioral analytics.
Moreover, the operational security demonstrated by Curly COMrades—encryption, minimal forensic traces, careful VM deployment—illustrates that nation-state-aligned groups are increasingly prioritizing stealth over speed. This shift implies that cybersecurity defenses must evolve beyond reactive measures, incorporating proactive hypervisor auditing and continuous endpoint monitoring.
The geopolitical dimension cannot be overlooked. By targeting government, judicial, and energy sectors in Eastern Europe, the group aligns with Russian strategic interests, using cyber intrusion as a tool of influence and intelligence gathering. This adds a layer of urgency for organizations in sensitive sectors to strengthen internal monitoring and incident response plans.
Ultimately, the Curly COMrades campaign exemplifies how advanced threat actors exploit technology, human behavior, and systemic weaknesses in concert. It also serves as a warning that cybersecurity frameworks must anticipate creative exploitation of existing features, like Hyper-V, rather than focusing solely on new malware strains.
Fact Checker Results
✅ Curly COMrades has been active since mid-2024 targeting government and energy sectors.
✅ The group uses Hyper-V to host hidden Alpine Linux VMs for malware execution.
❌ There is no evidence that Hyper-V exploitation is limited to any specific Windows version; Pro, Enterprise, and Server editions are all affected.
Prediction
📊 Organizations that fail to monitor hypervisor activity or implement multi-layered endpoint defenses may see a surge in stealthy VM-based attacks.
📊 Adoption of lightweight, encrypted malware and covert network tunneling is likely to increase among nation-state-aligned hacker groups.
📊 Proactive Hyper-V auditing and behavior-based network monitoring will become essential standards for enterprise cybersecurity in 2025 and beyond.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




