Pro-Russian hackers known as Curly COMrades are exploiting Microsoft's Hyper-V technology to embed lightweight Alpine Linux virtual machines within compromised Windows systems. This tactic allows them to run custom malware like CurlyShell and CurlCat undetected by traditional endpoint detection tools. The campaign, uncovered by Bitdefender in collaboration with the Georgian CERT, targets organizations in Europe and beyond.
The attack begins with the initial compromise of Windows machines, often through vulnerabilities or social engineering. Attackers then enable Hyper-V—a built-in virtualization feature in Windows 10—using Deployment Image Servicing and Management Tools (DISM) while disabling management interfaces to avoid detection. Observed as early as July 2024, they deploy a small RAR archive disguised as a video file, which contains configuration files and a virtual disk for a pre-configured Alpine Linux environment. This VM, named 'WSL' to mimic the legitimate Windows Subsystem for Linux, requires only 120 MB of disk space and 256 MB of RAM, making it resource-efficient and stealthy.
Inside the VM, the hackers run CurlyShell, a custom reverse shell built with the libcurl library for command execution via HTTPS connections to command-and-control servers, and CurlCat, a reverse proxy for tunneling traffic. The VM uses default network adapters and Hyper-V's internal NAT service, routing malicious communications through the host Windows IP address to mask origins and bypass endpoint detection and response (EDR) solutions. Additional persistence is achieved with tools like Ligolo-ng, CCProxy, Stunnel, SSH, Resocks, and Rsockstun, alongside PowerShell scripts that inject Kerberos tickets into the LSASS process and create local accounts via Group Policy.
Bitdefender's senior security researcher Victor Vrabie explained: 'By isolating the malware and its execution environment within a VM, the attackers effectively create a parallel world that’s invisible to most security solutions on the host.' The group, aligned with Russian geopolitical interests and linked to aliases like Void Blizzard or LAUNDRY BEAR, has targeted institutions in Georgia, Moldova, Europe, North America, and possibly Ukraine, focusing on government, defense, and healthcare sectors. This method represents a growing trend of using Linux malware against Windows to evade sophisticated EDR, similar to tactics in Qilin ransomware attacks. Experts recommend monitoring for unexpected Hyper-V activations, implementing behavioral analysis in virtual environments, and enhancing network-based inspections to counter such threats.
