Threat Actors weaponize Linux VMs in Hyper-V to Bypass EDR

1. Introduction

Bitdefender's recent discovery and analysis of a threat actor, designated Curly COMrades, reveals a sophisticated campaign employing virtualization technologies to circumvent endpoint detection and response (EDR) solutions and facilitate the execution of custom malware. This novel approach underscores the evolving landscape of advanced persistent threats (APTs) and the increasing need for comprehensive security strategies capable of detecting and mitigating attacks leveraging virtualization-based evasion techniques. The strategic use of lightweight, ephemeral virtual machines (VMs) represents a significant operational security (OPSEC) improvement for the threat actor, complicating forensic analysis and hindering attribution efforts.

2. Activity Overview

The primary target and/or motivation of Curly COMrades appears to be aligned with state-sponsored espionage, primarily impacting entities within Georgia and Moldova. Assessed to be active since late 2023, observed campaigns have been documented from August 2025 onward, indicating a prolonged period of covert operations. The geopolitical context suggests that the threat actor's activities are driven by intelligence gathering and potentially disruptive objectives, reflecting interests consistent with those of the Russian Federation. Their strategic objectives appear to encompass maintaining persistent access to compromised systems, exfiltrating sensitive data, and potentially establishing a foothold for future disruptive operations. The observed targeting patterns suggest a focus on entities of strategic or political interest within the affected regions.

3. Technical Deep Dive: Attack Methodology

Curly COMrades exhibits a distinct attack methodology centered around the deployment of a minimalistic, Alpine Linux-based virtual machine on compromised Windows 10 hosts. The threat actor leverages the native Hyper-V role within Windows to create a hidden, isolated operating environment.

The technical mechanism involves:

1. Enabling Hyper-V: The threat actor first enables the Hyper-V feature on the victim system, typically via PowerShell commands or through compromised credentials.

2. VM Deployment: A pre-built Alpine Linux image is then deployed. This image, notably small at approximately 120MB disk space and 256MB memory, is meticulously crafted to minimize its footprint and reduce the likelihood of detection.

3. Isolation: The VM is configured with limited network access, primarily to establish a reverse shell connection back to the threat actor's command and control (C2) infrastructure.

4. Malware Execution: Custom malware, specifically CurlyShell (reverse shell) and CurlCat (reverse proxy), is deployed and executed within the isolated VM environment.

This technique effectively bypasses many traditional host-based EDR detections, as the malicious activity is confined within the VM and largely invisible to host-based security agents. The attack chain typically involves initial access via known vulnerabilities or compromised credentials (detailed in Section 4), followed by lateral movement within the network. Persistence is achieved through the Hyper-V infrastructure itself, ensuring that the VM is automatically started after system reboots.

Indicators of Compromise (IOCs):

• Hyper-V Management DLLs: Monitoring for unexpected usage or modification of Hyper-V management DLLs (e.g., `virtman.dll`, `vmms.exe`)


• Suspicious Alpine Linux Images: Presence of minimal Alpine Linux images not consistent with typical organizational practices. Filename artifacts related to the original research, such as "alpine_comrades.img" are of key concern.


• PowerShell execution logs: Monitor for commands to enable Hyper-V, create or register VMs, or adjust network configurations for VMs


• Network Connections: Monitor for network traffic originating from newly created virtual machines that isn't consistent with other VM infrastructure in use by the targeted organization.

The sophistication level is deemed high, reflecting a deep understanding of virtualization technologies and their potential for evasion. Attribution is complex, given the OPSEC advantages afforded by the use of ephemeral VMs and custom malware. The defensive blind spot lies in the lack of visibility into the activity occurring within these isolated virtual environments.

4. Tooling Analysis: Custom Malware Arsenal

Curly COMrades utilizes a combination of custom-developed malware and publicly available tools to achieve its objectives.

Primary Custom Tool: CurlyShell

• Functionality and Purpose: CurlyShell is a custom-developed ELF binary that functions as a persistent reverse shell, providing the threat actor with remote command execution capabilities within the compromised environment.


• Technical Implementation Details: Written in C++, CurlyShell is deployed as a headless background daemon. It utilizes HTTP GET requests to poll the C2 server for new commands and HTTP POST requests to transmit the results of command execution back to the server. The communication is encrypted, further hindering detection.


• C2 Communication Methods: HTTP GET/POST with encryption. C2 infrastructure is believed to be dynamically provisioned and rotated.


• Evasion and Anti-Analysis Features: Code obfuscation techniques are employed to hinder reverse engineering. The malware operates within the isolated VM, further reducing the likelihood of detection by host-based security solutions.


• Persistence Mechanisms Employed: The malware is configured to automatically start upon VM boot, ensuring persistent remote access.

Secondary Custom Tool: CurlCat

• Functionality and Purpose: CurlCat is a custom-developed reverse proxy designed to facilitate bidirectional data transfer and establish a secure tunnel between the compromised environment and the threat actor's C2 infrastructure.


• Technical Architecture and Operational Flow: CurlCat, sharing a largely identical code base with CurlyShell, funnels traffic through SSH, enhancing security and enabling flexible control.


• Data Handling and Transmission Protocols: SSH-based tunneling for secure data transmission.


• Integration with Primary Tool and Operational Workflow: CurlCat is used in conjunction with CurlyShell to establish a robust and secure communication channel, enabling the threat actor to remotely control the compromised system and exfiltrate sensitive data.

Read popular posts 

• Top 10 UK Scholarships: Your Complete Guide to Studying in the UK
• Become a Professional Prompt Engineer
• SOC Best Practices: Level Up Your Cybersecurity Defense 
• AI Life Hacks: 23 Unique Ways to Simplify Your Life
• From Zero to Security Hero: Your Complete Guide to Starting in Cybersecurit
• What is a Cyberattack? — A Beginner-Friendly Guide with Pro Insight
  
• Microsoft Reveals “SesameOp” Backdoor Leveraging OpenAI API for Stealthy Cyber Operations
• Cyber Security: My Wake-Up Call & How to Protect Yourself
  
• €600 Million Crypto Fraud, How to Protect Your Dreams from Digital Thieves (A Personal Journey)

Standard/Public Tools Observed

Curly COMrades also leverages a range of publicly available tools to complement its custom malware arsenal:

• Mimikatz: Used for credential harvesting.


• Ligolo-ng: Another tunneling tool, alongside other proxy solutions, such as Resocks, Rsockstun, CCProxy, Stunnel, and SSH-based methods for proxy.


• PowerShell Scripts: Used for remote command execution and system reconnaissance.

These tools complement the custom malware by providing additional capabilities for lateral movement, privilege escalation, and data exfiltration. The combination of custom malware and readily available tools reflects a strategic approach aimed at maximizing operational effectiveness while minimizing the risk of detection.

5. Defensive Evasion and Operational Security

Curly COMrades successfully evades detection through a combination of virtualization-based isolation, custom malware, and encrypted communication.

• Virtualization-Based Isolation: The use of a lightweight Alpine Linux VM creates a secure, isolated environment that shields malicious activity from host-based security solutions.


• Custom Malware: The use of custom-developed malware, specifically CurlyShell and CurlCat, reduces the likelihood of detection by signature-based antivirus solutions.


• Encrypted Communication: The use of encrypted HTTP GET/POST requests and SSH-based tunneling protects C2 communication from network-based monitoring.


• Dynamic C2 Infrastructure: The use of dynamically provisioned and rotated C2 infrastructure makes it difficult to track and block the threat actor's communication channels.

The attackers maintain operational security by minimizing their footprint, leveraging encryption, and isolating their activity within the VM environment. These techniques present significant detection challenges for security teams, as traditional defenses are often ineffective against virtualization-based attacks.

6. Conclusion and Threat Assessment

The threat actor Curly COMrades exhibits a high degree of operational sophistication and a demonstrated ability to evade traditional security controls through the use of virtualization-based isolation and custom malware. Their determination to maintain a reverse proxy capability, coupled with the persistent introduction of new tooling, indicates a sustained commitment to their objectives.

The broader implications for the cybersecurity community are significant, highlighting the need for advanced threat hunting and behavioral detection capabilities that can identify and mitigate virtualization-based attacks. Security teams must prioritize:

• Enhanced visibility into VM activity.


• Advanced endpoint detection and response (EDR) solutions capable of detecting malicious activity within virtualized environments.


• Behavioral analytics to identify anomalous activity patterns indicative of compromise.


• Network-based threat detection solutions capable of identifying encrypted C2 communication.


• Regular threat intelligence updates to stay abreast of evolving TTPs.

Combating the threat posed by Curly COMrades requires a multi-layered security approach that combines advanced technology with proactive threat hunting and incident response capabilities. The persistent evolution of attacker TTPs demands a continuous cycle of adaptation and improvement in cybersecurity defenses.