SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Illustration computer server virtual machines shadowy malware network wires secure data center
#
Malware
#
Virtualisation
#
Firewalls

Curly COMrades abuse Hyper-V for covert malware operations in VMs

Wed, 5th Nov 2025
Author image
By Sean Mitchell, Publisher

Bitdefender researchers have disclosed new methods and tools used by the Curly COMrades threat actor, who is backed by Russian interests, to abuse Microsoft's Hyper-V virtualisation platform for evading security detection and maintaining persistent access to targeted environments.

Abuse of Hyper-V

The investigation, carried out jointly with the Georgian CERT, has shed light on how the threat group has leveraged legitimate virtualisation features to establish covert operations on victim systems. By enabling Hyper-V on compromised hosts, the attackers deployed a lightweight virtual machine (VM) based on Alpine Linux, occupying only 120MB of disk space and utilising 256MB of memory. Within this isolated environment, they concealed two malware tools: CurlyShell and CurlCat.

"The most notable finding in this campaign is the exploitation of legitimate virtualisation technologies, demonstrating how threat actors are innovating to bypass standard EDR solutions as they become commodity tools. The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat. By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections. EDR needs to be complemented by host-based network inspection to detect C2 traffic escaping the VM, and proactive hardening tools to restrict the initial abuse of native system binaries."

The operation began in early July, when two remote commands enabled Microsoft Hyper-V while disabling its management interface on compromised computers. Subsequent commands set up the environment for deploying the virtual machine, using deceptive file-naming strategies such as referring to the VM as "WSL" to avoid suspicion, despite the VM operating entirely outside the regular Windows Subsystem for Linux framework.

Isolated operational environment

The Alpine Linux VM was customised for each victim, providing an isolated operational base for reverse shell and proxy activity. The main objective was to minimize detection through a small system footprint, while maintaining all necessary toolsets. The configuration routed VM traffic via the host's network, with all outbound communications appearing to originate from the legitimate host IP address. Internal configuration files also ensured communication with attacker-controlled infrastructure.

This VM hosted the custom malware families CurlyShell and CurlCat. Both are C++ binaries built using the libcurl library, but each serves different operational purposes: CurlyShell is a persistent reverse shell, while CurlCat manages SSH-based traffic tunnelling. Authentication for SSH tunnelling is facilitated by a private key stored in the VM, using a dedicated key under the identity 'bob'.

The persistence of CurlyShell is implemented via a cron task running as root, executing at regular intervals. HTTPS is used for all Command and Control (C2) communications, with unique session cookies and customised HTTP headers to tunnel commands and results between the VM and the C2 infrastructure. The malware incorporates custom Base64 encoding schemes to hamper detection.

Additional tools and script abuse

The attackers' toolkit extended beyond CurlyShell and CurlCat, encompassing numerous proxy and tunnelling tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, TStunnel, and SSH methods. This variety provided significant flexibility and resilience for maintaining remote access.

Bitdefender and the Georgian CERT further uncovered PowerShell scripts used by the attackers. Some scripts injected Kerberos tickets into LSASS for remote authentication and lateral movement, while others focused on creating or maintaining local accounts via Group Policy to establish ongoing access. For example, one script would reset the local user's password or create the account if it did not exist, with later variants targeting accounts such as 'camera'.

Analysis of these scripts showed their use of encrypted embedded code, with mechanisms to inject Kerberos tickets and execute lateral post-exploitation commands against other network devices. The repeated password resets via Group Policy pointed to tactics for evading remediation efforts by network defenders.

Command and control infrastructure

International collaboration, particularly with the Georgian CERT, facilitated detailed analysis of the attackers' command and control setup. Investigation revealed the use of compromised servers acting as proxies to relay traffic between infected hosts and the attacker's infrastructure. The seized server, configured with iptables and custom application-level proxies, redirected specific traffic from victims to attacker-controlled servers. TLS certificate validation in related malware was disabled, allowing attackers to use arbitrary certificates for decrypting and extracting SSH traffic.

The attackers took steps to limit forensic evidence, for example by clearing shell history files, highlighting their emphasis on operational security throughout the campaign.

Detection and mitigation strategies

Bitdefender's analysis emphasises the need for host-based network inspection and hardening to detect lateral movement and malicious communications escaping from isolated VMs. The company noted:

"Throughout the activity, the threat actor demonstrated a strong focus on stealth and operational security. Techniques included encrypting embedded payloads, abusing native PowerShell capabilities, and minimising forensic traces on compromised systems. To counter stealthy lateral movement, organisations must detect abnormal access to the LSASS process and suspicious Kerberos ticket creation or injection attempts, which occur outside the VM and are highly detectable. Use GravityZone EDR/XDR capabilities to detect malicious access to credential processes and mitigate memory-based attacks. For organisations operating with a lean security staff, adopting Managed Detection and Response (MDR) services offers an effective solution."

The findings confirm shifts in threat actor tactics as endpoint detection and response solutions become more widespread. Use of virtualisation for stealth and persistence signals the need for layered, defence-in-depth measures and proactive reduction of attack surfaces within organisations.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency
Australians warned over AI-driven scams ahead of Christmas sales
SentinelOne & AWS enhance AI security with new integrations
Fortinet reports strong Q3 revenue growth & SASE adoption surge

Top stories

Hexaware boosts cybersecurity with strategic CyberSolve acquisition
Avanade unveils suite of Microsoft-powered tools for midmarket firms
Forrester predicts AI errors to cost B2B firms over USD $10 billion
Drata appoints Aneal Vallurupalli as CFO amid global expansion
Ping Identity launches platform to secure & manage AI agents