The Russian hacker group Curly COMrades is abusing Microsoft Hyper-V in Windows to bypass endpoint detection and response solutions by creating a hidden Alpine Linux-based virtual machine to run malware.

Inside the virtual environment, the threat actor hosted its custom tools, the CurlyShell reverse shell and the CurlCat reverse proxy, which enabled operational stealth and communication.

Curly COMrades is a cyber-espionage threat group believed to be active since mid-2024. Its activities are closely aligned with Russian geopolitical interests.

Bitdefender previously exposed Curly COMrades activities against government and judicial bodies in Georgia, as well as energy firms in Moldova.

With the help of the Georgian CERT, the Romanian cybersecurity firm uncovered more about the threat actor's latest operation.

The researchers found that in early July, after gaining remote access to two machines, Curly COMrades executed commands to enable Hyper-V and disable its management interface.

Microsoft includes the Hyper-V native hypervisor technology that provides hardware virtualization capabilities in Windows (Pro and Enterprise) and Windows Server operating systems, allowing users to run virtual machines (VMs).

"The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," Bitdefender explains in a report shared with BleepingComputer.

By keeping the malware and its execution inside a virtual machine (VM), the hackers were able to bypass traditional host-based EDR detections, which lacked network inspection capabilities that could detect the threat actor's command and control (C2) traffic from the VM.

Although relying on virtualization to evade detection is not a new technique, the fragmented coverage of security tools makes it an effective approach on networks that lack a holistic, multi-layered protection.

In the Curly COMrades attacks, evasion was achieved by using the name 'WSL' for the VM, alluding to the Windows Subsystem for Linux feature in the operating system, in the hope of slipping unobserved.

The Alpine Linux VM was configured in Hyper-V to use the Default Switch network adapter, which passed all the traffic through the host's network stack.

"In effect, all malicious outbound communication appears to originate from the legitimate host machine's IP address," Bitdefender researchers explain.

The two custom implants deployed in the VM are ELF binaries based on libcurl and are used for command execution and traffic tunneling:

• CurlyShell – Executes commands, runs inside the hidden Alpine VM and maintains persistence via a cron job. It runs in headless mode and connects to the command-and-control (C2) over HTTPS
• CurlCat – Companion tool used when tunneling is needed, invoked by the shell implant to create a covert SOCKS proxy back to the operator. It wraps SSH traffic into HTTPS requests, allowing network pivoting while blending with normal operations noise.

While investigating the incidents, the researchers also discovered that Curly COMrades used two PowerShell scripts for persistence and pivoting to remote systems.

"One was designed to inject a Kerberos ticket into LSASS, enabling authentication to remote systems and execution of commands," the researchers say.

The second script was deployed through the Group Policy feature and created a local account across machines on the same domain.

The researchers note that the sophistication level of the investigated Curly COMrades attacks reveal an activity tailored for stealth and operational security. The hackers encrypted the embedded payloads and abused PowerShell capabilities, which led to minimum forensic traces on the compromised hosts.

Based on the observations in these attacks, Bitdefender suggests that organizations should monitor for abnormal Hyper-V activation, LSASS access, or PowerShell scripts deployed via Group Policy that trigger local account password resets, or creating new ones.