According to TheRegister.com, Russian hacking group Curly COMrades is exploiting Microsoft’s Hyper-V hypervisor to create hidden Alpine Linux virtual machines that bypass endpoint security tools. The hidden environment uses only 120MB disk space and 256MB memory and hosts their custom reverse shell called CurlyShell plus a reverse proxy called CurlCat. Bitdefender senior security researcher Victor Vrabie revealed in a Tuesday report that the Romanian security firm, working with Georgia’s CERT, uncovered this campaign that began in July. The group executed remote commands on two computers to enable Hyper-V virtualization while disabling its management interface, then downloaded the lightweight VM containing their malware days later. Bitdefender has been tracking Curly COMrades since 2024 and says they support Russian geopolitical interests, having previously targeted judicial and government bodies in Georgia plus a Moldovan energy distribution company.
Sponsored content — provided for informational and promotional purposes.
How the attack works
Here’s the clever part: they’re using Microsoft’s own virtualization technology against itself. The attackers configure the VM to use Hyper-V’s Default Switch network adaptor, which means all the malicious traffic appears to come from the legitimate host machine’s IP address. Basically, your security tools see what looks like normal Windows traffic while the actual malware is running safely isolated in a hidden Linux environment.
And get this – they’re not even doing anything particularly exotic. They’re using standard Hyper-V features that are built right into Windows. The VM runs Alpine Linux, which is incredibly lightweight, and contains two custom implants written in C++ using the libcurl library. CurlyShell provides the reverse shell and uses cron jobs for persistence, while CurlCat wraps SSH traffic into HTTP requests to make everything look legit.
Why this matters
So what’s the big deal? Well, this represents a significant shift in how sophisticated attackers are thinking about evasion. As Vrabie noted, as EDR and XDR solutions become commodity tools, threat actors are getting smarter about bypassing them. They’re not just trying to hide malware – they’re hiding entire execution environments.
Think about it: if your security tools are only monitoring the host operating system, they might completely miss what’s happening inside a hidden virtual machine. The malware could be doing all sorts of nasty things while your endpoint protection reports everything’s fine. It’s like having burglars living in your attic while your home security system only monitors the main floors.
Broader trends
This isn’t an isolated case either. We’re seeing more attackers abuse legitimate system tools and features. Some ransomware gangs are even incorporating “EDR killers” into their malware arsenals. The days of relying solely on endpoint detection are clearly over.
Bitdefender’s detailed analysis shows this group has been active since at least their August campaign against Georgian targets. They’re not just random hackers – this appears to be state-aligned activity with clear geopolitical objectives.
What to do about it
The security recommendation here is pretty clear: you need defense in depth. Relying solely on endpoint detection won’t cut it anymore. Security teams should be monitoring for Hyper-V configuration changes, looking for unexpected virtualization activity, and implementing network-level detection.
Bitdefender has published a full list of indicators of compromise on GitHub, which is definitely worth checking out if you’re responsible for securing Windows environments. The bottom line? Assume your endpoints will be compromised and build your security strategy accordingly. Because the bad guys are definitely getting more creative about where they hide their tools.
