Russian hackers exploit Microsoft Hyper-V to hide Linux-based malware and evade detection

By Radu Balanescu on
Hyper-V Curly COMrades

A group of Russian hackers, known as Curly COMrades, was discovered using an unusual tactic to hide malware inside Linux virtual machines by abusing Microsoft’s Hyper-V technology. This method allows attackers to run malicious tools in an isolated environment, thereby evading traditional Endpoint Detection and Response (EDR) systems and maintaining persistent access to victims’ networks.

Discovery of the attack

Investigations by Bitdefender, in collaboration with the Georgia Computer Emergency Response Team (CERT.GE), uncovered a sophisticated campaign in which the attackers enable the Hyper-V role on compromised Windows systems and then deploy a minimalist virtual machine based on the Alpine Linux distribution. This virtual machine, which occupies only 120 MB of disk space and 256 MB of memory, is used to run custom tools such as CurlyShell (a reverse shell) and CurlCat (a reverse proxy), which facilitate covert communication with the attackers’ command-and-control (C2) servers. By running malware inside the VM, the malicious activity is not detected by security solutions installed on the host system, which lack the capability to inspect network traffic originating from the virtual machines.

Operation method

The attackers gain remote access to target systems, enable the Hyper-V role, and disable the management interface to reduce visibility. They then download a VM image disguised as a video file, extract it, and import it into Hyper-V using PowerShell. The VM is sometimes named “WSL” to imitate the legitimate Windows Subsystem for Linux functionality, hoping virtualization activity will go unnoticed by system administrators.

Impact and recommendations

This tactic highlights gaps in security systems that do not comprehensively cover virtualized environments. Experts recommend auditing Hyper-V usage across endpoints, disabling it where unnecessary, monitoring PowerShell and WMI activity for unexpected VM imports, and enabling network traffic inspection at the host level—especially on systems with virtualization enabled.

Conclusion

Abusing Hyper-V represents a notable evolution in security-evasion tactics. The Curly COMrades group has shown that virtualization can be weaponized against traditional defensive systems. Organizations are advised to revise their security strategies to include monitoring of virtualization activity and traffic between virtual machines and the external network.

z

Share article

Add new comment

About text formats

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

User login