Russian spies pack custom malware into hidden VMs on Windows machines
Summary
Security researchers at Bitdefender, working with the Georgian CERT, have uncovered a campaign by the threat group dubbed Curly COMrades that abuses Microsoft Hyper-V on compromised Windows hosts to create a hidden Alpine Linux virtual machine. The tiny VM (about 120MB disk, 256MB RAM) runs custom implants — CurlyShell (a new reverse shell) and CurlCat (an SSH reverse-proxy) — allowing attackers to hide execution from host-based EDR and to make malicious outbound traffic appear to originate from the legitimate host IP via Hyper-V’s Default Switch.
The campaign began in July 2025. Attackers remotely enabled Hyper-V while disabling its management interface, deployed the Alpine VM with the implants, and used a Georgian website for command-and-control. The implants are C++ programs using libcurl; CurlyShell uses a cron job for root-level persistence and HTTPS C2, while CurlCat tunnels SSH over HTTP-like payloads so traffic looks benign.
Key Points
- Curly COMrades use native Hyper-V virtualization to isolate malware inside a hidden Alpine VM, evading host-based EDR/XDR detection.
- The hidden VM is very lightweight (circa 120MB disk, 256MB RAM) and hosts two custom implants: CurlyShell (persistent reverse shell) and CurlCat (SSH reverse proxy).
- Using Hyper-V’s Default Switch routes VM traffic through the host network stack, making malicious traffic appear to come from the legitimate host IP.
- Attackers also deployed PowerShell tools: one injects Kerberos tickets into LSASS for remote authentication; another, pushed via Group Policy, creates local accounts across domain-joined systems for persistence.
- Bitdefender has tracked Curly COMrades since 2024; this activity supports Russian geopolitical interests but isn’t explicitly attributed to the Russian state by Bitdefender.
- Bitdefender published indicators of compromise on GitHub and recommends defence-in-depth rather than relying solely on endpoint detection.
Author style
Punchy: this is clever, low-footprint evasion — worth digging into if you care about real-world EDR bypasses. If you manage Windows estates or incident response, read the details and the IoCs; otherwise, this saves you from skimming the long report.
Why should I read this?
Because these attackers aren’t using flashy zero-days — they’re abusing perfectly legitimate Hyper-V features to hide. It’s a neat, sneaky trick that defeats many common endpoint tools, so if you’re responsible for network visibility, threat hunting or Windows hardening, you’ll want to know how they did it and what to look for.
Context and relevance
This case underlines a growing trend: adversaries are leveraging built-in OS features and virtualisation to bypass EDR/XDR. As endpoint detection becomes ubiquitous, threat actors pivot to isolation and native-tool abuse (PowerShell, Group Policy, Kerberos manipulation) to maintain persistence and blend malicious traffic with legitimate flows. The discovery reinforces the need for layered controls — network monitoring, host and hypervisor visibility, strict privilege management, and rapid IOC sharing.
Mitigation takeaways
- Audit and monitor Hyper-V and other virtualization features; alert on unexpected feature enablement and disabled management interfaces.
- Inspect host network flows for unusual proxying behaviour and check for processes that spawn or manage VM images from unexpected locations.
- Monitor LSASS injection indicators and Group Policy changes; enforce least privilege for account and GPO management.
- Use defence-in-depth: combine endpoint protection with network detection, hypervisor logging, and timely IOC consumption (see Bitdefender’s GitHub list).