Curly COMrades Exploit Hyper-V to Conceal Malware on Windows 10 Systems
A sophisticated cyber threat actor known as Curly COMrades has developed an innovative attack strategy that exploits legitimate Windows virtualization features to establish covert, long-term access to compromised networks. This campaign, initiated in early July 2025, signifies a notable advancement in adversary tactics, as attackers increasingly seek methods to circumvent standard endpoint detection and response (EDR) solutions.
Exploiting Hyper-V for Stealthy Operations
Central to this operation is the misuse of Hyper-V, Microsoft’s native hypervisor, on compromised Windows 10 machines. By enabling the Hyper-V role and deploying a minimalistic Alpine Linux-based virtual machine (VM), the attackers create a concealed environment to host custom malware, effectively evading traditional host-based security monitoring.
The deployed VM is lightweight, requiring only 120MB of disk space and 256MB of memory. Within this environment, two custom implants are executed:
– CurlyShell: A persistent reverse shell facilitating continuous remote access.
– CurlCat: A reverse proxy tool enabling the attackers to route their traffic through the compromised host.
This approach allows malicious activities to blend seamlessly with legitimate network traffic, complicating detection efforts.
Discovery and Attribution
Bitdefender researchers, in collaboration with the Georgian Computer Emergency Response Team (CERT), identified this advanced campaign. The investigation began when a malicious sample was detected communicating with a compromised site under monitoring. Further analysis revealed that Curly COMrades, first documented in August 2025 as a group supporting Russian interests in geopolitical hotspots, had significantly enhanced its toolkit and operational sophistication.
Technical Analysis of the Attack
The attackers’ methodology demonstrates meticulous planning and technical expertise. By isolating their malware execution within a VM, they effectively bypass many traditional security detections. Malicious traffic is routed through the host’s network stack, making it appear as though it originates from legitimate IP addresses.
Deployment and Persistence Mechanisms
The attack sequence begins with remotely enabling the Hyper-V virtualization feature while deliberately disabling its management interface to reduce visibility. The following commands are executed:
“`
dism /online /disable-feature /FeatureName:microsoft-hyper-v-Management-clients /norestart
dism /online /enable-feature /All /LimitAccess /FeatureName:microsoft-hyper-v /norestart
“`
After a brief interval, the attackers proceed to the payload delivery phase. A RAR archive, disguised as a video file, is downloaded and extracted to the directory `c:\programdata\microsoft\AppV\app`, a location chosen to blend with legitimate Microsoft application virtualization files. The VM files are then imported using PowerShell:
“`
powershell.exe -c import-vm -path c:\\programdata\\microsoft\\AppV\\app\\Virtual Machines\\1DBCC80B-5803-4AF1-8772-712C688F408A.vmcx -Copy -GenerateNewId
powershell.exe -c Start-VM -name WSL
“`
The VM is named WSL to suggest the use of Windows Subsystem for Linux, a commonly trusted developer tool, thereby reducing suspicion. However, this is a fully isolated Hyper-V instance operating outside the standard WSL framework.
Persistence within the VM is achieved through a root-level crontab entry that executes every four hours at 20 minutes past the hour. The cron task runs `/bin/alpine_init`, which subsequently launches the CurlyShell implant located at `/bin/init_tools`. CurlyShell maintains HTTPS communication with the command and control infrastructure, while CurlCat manages SSH reverse proxy tunneling on demand.
The VM configuration utilizes Hyper-V’s Default Switch network adapter with Network Address Translation (NAT), ensuring all malicious outbound traffic appears to originate from the compromised host machine’s legitimate IP address. This significantly complicates attribution and detection efforts.
Advanced Persistence and Lateral Movement
The attackers employ multiple mechanisms to establish persistence and facilitate lateral movement within the compromised network:
– PowerShell Scripts: Configured via Group Policy for local account creation, these scripts ensure the attackers maintain access even if initial entry points are discovered and remediated.
– Kerberos Ticket Manipulation: By exploiting Kerberos authentication, the attackers can move laterally across the network, accessing additional systems without raising alarms.
– Proxy and Tunneling Tools: The deployment of various tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, and Stunnel illustrates the group’s determination to maintain flexible access channels to compromised environments.
Implications and Recommendations
The Curly COMrades’ use of Hyper-V to conceal their activities represents a significant evolution in cyberattack methodologies. By leveraging legitimate virtualization features, they create a hidden operational environment that is challenging to detect and remediate.
To defend against such sophisticated threats, organizations should consider the following measures:
1. Monitor Virtualization Features: Regularly audit and monitor the use of virtualization features like Hyper-V on all systems. Unauthorized activation should be investigated promptly.
2. Enhance Endpoint Detection: Deploy advanced EDR solutions capable of detecting anomalies associated with virtualization abuse and unusual network traffic patterns.
3. Implement Network Segmentation: Limit the potential for lateral movement by segmenting networks and enforcing strict access controls between segments.
4. Regularly Update and Patch Systems: Ensure all systems are up-to-date with the latest security patches to mitigate known vulnerabilities that could be exploited by attackers.
5. Conduct Security Awareness Training: Educate employees about the risks of phishing and other social engineering attacks that could serve as initial entry points for adversaries.
By adopting a proactive and layered security approach, organizations can better defend against advanced persistent threats like those posed by Curly COMrades.
