Curly COMrades, a Russian-linked APT group, has been found using Microsoft's Hyper-V to deploy hidden Alpine Linux virtual machines on compromised Windows systems, avoiding detection. Discovered in mid-2025, the operation isolates malware from host-based detection tools, maintaining covert access.
Operational Techniques
The attackers remotely enabled the Hyper-V role on targeted Windows machines and disabled its management interface. They used PowerShell to import a compressed VM image disguised as a video file. The VM environment, named “WSL”, runs Alpine Linux with a 120MB disk and 256MB RAM, leveraging Hyper-V's Default Switch for network traffic obfuscation.
- Curly COMrades utilized native Windows virtualization for stealth attack.
- Alpine Linux VM image was deployed using PowerShell scripts.
- Hyper-V Default Switch masked VM traffic as originating from the Windows host.
Malware Components
Two ELF implants were introduced within the VM: CurlyShell and CurlCat. CurlyShell offers a persistent reverse shell using HTTPS for command and control, maintaining persistence with a root cron job. CurlCat functions as a reverse proxy, embedding SSH within HTTP requests, with RSA authentication keys for security.
Beyond the VM, PowerShell scripts enabled remote execution and lateral movement via encrypted Kerberos tickets. Persistence relied on GPO-distributed scripts resetting local accounts. Artifacts, blending with legitimate files, were found under default Windows system paths.
Security Recommendations
Organizations should audit Hyper-V usage and disable it where unnecessary. Monitoring for hidden VMs and unexpected imports using PowerShell and WMI activity is advised. Host-based network inspection should be enabled on systems with virtualization.
