Hackers Exploit Windows Hyper-V to Conceal Linux VM, Evading EDR Detection
Recent analysis by Bitdefender has uncovered new insights into how the hacker group Curly COMrades is utilizing Windows Hyper-V to conceal its operations. By enabling Hyper-V on selected victim systems, these threat actors have created a concealed environment that allows them to evade Endpoint Detection and Response (EDR) tools.
Exploitation of Hyper-V Environments
Curly COMrades has been active since late 2023, specifically targeting Georgia and Moldova, with documented activities beginning in August 2025. This group employs a minimalistic, Alpine Linux-based virtual machine, which has a lightweight footprint, utilizing only 120MB of disk space and 256MB of memory.
Custom Malware Deployment
This concealed virtual machine hosts two primary pieces of malware: CurlyShell and CurlCat. Security researchers Victor Vrabie, Adrian Schipor, and Martin Zugec noted that CurlyShell serves as a reverse shell while CurlCat operates as a reverse proxy.
- CurlyShell: Executes commands directly.
- CurlCat: Channels traffic through SSH.
By isolating their malware within this virtual environment, Curly COMrades successfully circumvents many traditional host-based EDR detections, enabling persistent remote access.
Comprehensive Toolset
Curly COMrades employs a diverse range of tools to maintain their operations. These include:
- RuRat for persistent remote access.
- Mimikatz for credential harvesting.
- MucorAgent, a modular .NET implant.
- Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel for proxy and tunneling.
Additionally, the group utilizes a PowerShell script for remote command execution, further enhancing its capabilities.
Communication Methods
The malware communicates through HTTP requests with a command-and-control (C2) server. It polls for new commands using HTTP GET requests and sends execution results back using HTTP POST requests.
The adaptability and flexible control demonstrated by Curly COMrades underline their commitment to persistent threats. The continued analysis of these tools and techniques is crucial for developing effective countermeasures against such sophisticated cyber threats.
