Skip to main content
See every side of every news story
Get Started
SubscribeLogin
Published loading...Updated

Russian Spies Pack Custom Malware Into Hidden VMs on Windows

Curly COMrades exploited Hyper-V to hide malware in Alpine Linux VMs, bypassing endpoint detection and response on Windows systems since mid-2024, researchers found.

  • Curly COMrades abused Microsoft Hyper-V to deploy a minimal Alpine Linux VM hosting CurlyShell and CurlCat implants for command execution and proxying.
  • Bitdefender, Romanian cybersecurity firm, and the Georgian Computer Emergency Response Team uncovered this campaign, tracking Curly COMrades since mid-2024 with activities aligning to Russian geopolitical interests but no direct government link.
  • After gaining remote access, the attackers enabled Hyper-V on two machines, disabled its management interface, named the VM 'WSL', used the Default Switch network adapter, and deployed PowerShell scripts for Kerberos ticket injection into LSASS and Group Policy persistence mechanism.
  • Vrabie wrote that by isolating malware in a VM, attackers bypassed host-based EDRs, and Bitdefender explained malicious outbound traffic appears from the host IP with SSH-over-HTTP wrapping.
  • Researchers recommend a multi-layered, defense-in-depth strategy as Bitdefender and other security experts highlight encrypted embedded payloads and PowerShell abuse leave minimal forensic traces amid fragmented security-tool coverage.
Insights by Ground AI

16 Articles

Tech RadarTech Radar
Center

Russian hackers hit Windows machines via Linux VMs with new custom malware

Hiding malware in VMs bypasses security protections and hides traffic.

·United Kingdom
Read Full Article
The RegisterThe Register
Center

Russian spies pack custom malware into hidden VMs on Windows

: Curly COMrades strike again

Read Full Article
BleepingComputerBleepingComputer
Center

Russian hackers abuse Hyper-V to hide malware in Linux VMs

The Russian hacker group Curly COMrades is abusing Microsoft Hyper-V in Windows to bypass endpoint detection and response solutions by creating a hidden Alpine Linux-based virtual machine to run malware.

Read Full Article
WebProNewsWebProNews

Virtual Shadows: How Russian Hackers Hide Malware in Linux VMs on Windows

In the ever-evolving cat-and-mouse game of cybersecurity, a sophisticated new tactic has emerged from Russian state-aligned hackers. Dubbed ‘Curly COMrades’ by researchers, this group is exploiting Microsoft’s Hyper-V virtualization technology to embed hidden Linux virtual machines within compromised Windows systems. This method allows them to run custom malware undetected, bypassing traditional endpoint detection and response (EDR) tools. The t…

Read Full Article
The Record by Recorded FutureThe Record by Recorded Future

Russia-linked 'Curly COMrades' turn to malicious virtual machines for digital spy campaigns

A cyber-espionage operation installed lightweight virtual machines to evade detection, researchers said, in the latest sign of Russia-linked hackers adapting their tactics.

Read Full Article
Global Security Mag OnlineGlobal Security Mag Online
Reposted by
Global Security Mag OnlineGlobal Security Mag Online

Bitdefender + Georgian Cert - Curly Comrades #2: when Hyper-v Becomes the Perfect Hiding Place for Apt

Thanks to the cooperation of the Georgian CERT, Bitdefender has identified a second advanced campaign by the Russian-affiliated APT Curly COMrades Group, which is abusing Hyper-V virtualization to establish hidden operational environments and maintain persistent access. Bitdefender's continued investigation of the Curly COMrades Group - already documented for the first time in August 2025 - reveals the new tools and techniques used by the Russia…

Read Full Article
Think freely.Subscribe and get full access to Ground NewsSubscriptions start at $9.99/yearSubscribe

Bias Distribution

  • 100% of the sources are Center
100% Center

Factuality Info Icon

To view factuality data please Upgrade to Premium

Ownership

Info Icon

To view ownership data please Upgrade to Vantage

BleepingComputer broke the news in on Tuesday, November 4, 2025.
Too Big Arrow Icon
Sources are mostly out of (0)

Similar News Topics

Espionage icon

Espionage

Linux icon

Linux

Microsoft icon

Microsoft

Windows icon

Windows

News
Feed Dots Icon
For You
Search Icon
SearchBlindspot LogoBlindspotLocal