According to TheRegister.com, Russian hacking group Curly COMrades has been exploiting Microsoft’s Hyper-V hypervisor since July 2024 to create hidden Alpine Linux-based virtual machines that bypass endpoint security tools. The hidden VM uses only 120MB disk space and 256MB memory and hosts their custom reverse shell CurlyShell and reverse proxy CurlCat. Bitdefender researchers working with Georgia’s CERT found the group targeting judicial and government bodies in Georgia plus an energy company in Moldova. The attackers enable Hyper-V while disabling its management interface, then download the lightweight VM containing their malware. All malicious traffic appears to originate from the legitimate host machine’s IP address, effectively bypassing traditional EDR detections.
Sponsored content — provided for informational and promotional purposes.
Why this matters
Here’s the thing: this isn’t your typical malware delivery. We’re talking about attackers using Microsoft’s own virtualization technology against itself. They’re not breaking in through vulnerabilities – they’re using legitimate features that security tools typically trust. And that’s way harder to detect. The VM isolation technique means the malware runs in an environment that most endpoint protection tools can’t even see. Basically, they’ve created a perfect hiding spot right under everyone’s noses.
The sophistication problem
What really stands out is how clever this approach is. The attackers configured the VM to use Hyper-V’s Default Switch network adaptor, which means all their malicious traffic blends in with the host machine’s normal network activity. So when security teams look at network logs, everything appears legitimate. They’re also using PowerShell scripts that inject Kerberos tickets and create local accounts across domain-joined machines. This isn’t some script kiddie operation – we’re looking at a well-funded, sophisticated group that understands exactly how enterprise security works.
What this means for security
So where does this leave security teams? Well, the old approach of just relying on endpoint detection isn’t cutting it anymore. As Bitdefender researcher Victor Vrabie noted, threat actors are getting better at bypassing EDR/XDR solutions through techniques like VM isolation. Some ransomware gangs are even incorporating “EDR killers” into their toolkits. The recommendation now is a multi-layered, defense-in-depth strategy that doesn’t just focus on threat detection at endpoints. Because when attackers can hide malware in legitimate system features, you need to be watching everything.
What to do about it
If you’re responsible for enterprise security, this should be a wake-up call. Bitdefender has published detailed indicators of compromise on their GitHub, which is essential reading for any security team. But beyond just looking for these specific threats, organizations need to rethink their approach to virtualization security. Hyper-V and other hypervisors are powerful tools, but they’re becoming attractive targets for attackers. Maybe it’s time to start monitoring virtualization activity with the same intensity we monitor everything else. Because if Russian spies can hide in plain sight using Microsoft’s own tools, who’s next?
