According to TheRegister.com, Russian spy group Curly COMrades has been exploiting Microsoft’s Hyper-V hypervisor since July to create hidden Alpine Linux virtual machines that bypass endpoint security tools. The lightweight VM uses only 120MB disk space and 256MB memory and contains two custom implants: CurlyShell reverse shell and CurlCat reverse proxy. Working with Georgia’s CERT, Bitdefender discovered the campaign targeting judicial and government bodies in Georgia plus a Moldovan energy company. The attackers enable Hyper-V while disabling its management interface, then download their custom VM that makes all malicious traffic appear to originate from the legitimate host machine’s IP address. Senior researcher Victor Vrabie confirmed the group supports Russian geopolitical interests, though no explicit government link has been established.
The virtualization trick that’s too clever
Here’s what makes this approach so sneaky: they’re using Microsoft’s own legitimate virtualization technology against itself. By creating a hidden Alpine Linux VM through Hyper-V, they’re effectively building a secure bunker right inside the compromised Windows machine. And security tools can’t see what’s happening inside that bunker because it’s isolated from the host system.
The real kicker? All the malicious traffic routes through the host’s network stack using Hyper-V’s Default Switch. So from a network perspective, everything looks perfectly normal – it’s all coming from the legitimate Windows machine’s IP address. Basically, they’ve created the perfect hiding spot using tools that are supposed to make systems more secure.
Why your security tools missed this
This is exactly the kind of attack that makes traditional endpoint detection and response (EDR) systems useless. When the malware runs inside a separate virtual machine, host-based security tools can’t see what’s happening. They’re looking at the Windows environment while the real action is happening in the hidden Linux VM.
And let’s be honest – how many organizations are monitoring for Hyper-V being enabled on workstations? Most security teams assume virtualization is something that happens on servers, not individual endpoints. The attackers counted on that assumption, and it worked perfectly.
How they stay hidden for months
The persistence mechanisms here are what really separate amateur hour from professional espionage. CurlyShell uses a cron job for root-level persistence inside the Alpine environment, while they’ve also got PowerShell scripts that inject Kerberos tickets and create local accounts across domain-joined machines. They’re playing both sides – maintaining access through the VM while also planting backup access methods in the Windows environment.
What’s particularly clever is how CurlCat wraps SSH traffic into standard HTTP requests. It’s the kind of technique that blends right into normal corporate network traffic. How many security teams are going to notice SSH traffic disguised as web browsing?
The uncomfortable truth about modern security
Bitdefender’s recommendation for a multi-layered defense strategy sounds great in theory, but let’s be real – most organizations are still heavily reliant on endpoint protection. The fact that attackers are now systematically bypassing EDR tools should be setting off alarm bells everywhere.
And this isn’t some theoretical risk – Bitdefender has been tracking these attacks since early 2024 against actual government and energy targets. The group even published their indicators of compromise on GitHub, which is both helpful and slightly terrifying when you think about how many organizations probably won’t bother to check them.
The bottom line? We’re in an arms race where attackers are getting smarter about using legitimate system features against us. And honestly, if Russian spies can hide entire virtual machines inside our Windows systems, what else are we missing?
