Russian-linked threat actors from the group Curly COMrades have crafted a sophisticated attack that abuses the Microsoft Hyper‑V hypervisor on Windows machines to run a hidden Alpine Linux-based virtual machine (VM). Inside this covert VM the hackers run custom malware tools — bypassing traditional endpoint detection solutions and maintaining long-term access to victim networks.
Hyper-V VM Stealth: Alpine VM with CurlyShell & CurlCat Evades EDR
The campaign begins with the attackers gaining initial access to a Windows host. They enable the Hyper-V role while disabling its management interface, then deploy an Alpine Linux VM, hidden in plain sight and designed to blend with developer or test-environment artifacts. The commands used often include:
dism /online /enable-feature /All /FeatureName:microsoft-hyper-v
powershell.exe –c Import-VM …
powershell.exe –c Start-VM –name WSL
Once the VM is imported and started, the attackers run two custom implants: CurlyShell, a persistent reverse shell daemon, and CurlCat, a traffic-tunnelling proxy tool. The VM’s network adaptor uses the host’s Default Switch, making all malicious traffic appear to originate from the legitimate host machine’s IP address.
“By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections.” — Technical report
PowerShell scripts were also observed injecting Kerberos tickets into LSASS or creating local accounts via Group Policy to enable lateral movement and persistence across a compromised domain.
Hypervisor-Based Stealth: VM-Resident Malware Bypasses Host Detection
Unlike conventional techniques where malware resides directly on a host operating system and is subject to memory scanning, file integrity checks or behavior-monitoring, this VM-based technique creates a stealth layer: the malicious payload runs in an isolated Linux guest OS on top of a Windows host, evading typical Windows EDR tools. By using Hyper-V as the execution environment, the attackers:
- Hide malicious activity from security tools that assume the host OS is the only monitored environment.
- Use a tiny VM footprint (~120 MB disk / 256 MB memory) to reduce detection signals.
- Tunnel command-and-control traffic through the host, blending it into legitimate outbound network flows.
- Leverage virtualization to persist between host reboots, patches and system scans.
For enterprise defenders this means that threat actors are shifting from traditional host-based evasion to hypervisor-based stealth, raising the difficulty of detection and response.
Key Recommendations for Defenders
To mitigate this advanced attack method organizations should:
- Monitor for unexpected Hyper-V role activations or import-VM / start-VM events on Windows systems.
- Inspect anomalous network traffic originating from hosts that run VMs, particularly when using default bridges like the Hyper-V Default Switch.
- Enforce least-privilege and control which systems can enable virtualization features; treat enabling of Hyper-V on production machines as a security event.
- Combine host-based endpoint monitoring with network-level inspection and credential-abuse detection to cover attacker activity inside guest VMs.
- Leverage threat intelligence feeds for Indicators of Compromise (IOCs) tied to CurlyShell, CurlCat and other tooling associated with Curly COMrades.
In a landscape where endpoint protection alone is no longer sufficient, virtualized execution environments present a growing blind spot in many organisations’ defences. The abuse of Hyper-V by advanced threat actors underscores the importance of adopting a layered security posture, combining host monitoring, network analytics, cloud/virtualisation hygiene and proactive threat hunting.
