According to TheRegister.com, Russian hacking group Curly COMrades has been exploiting Microsoft’s Hyper-V hypervisor since July to create hidden Alpine Linux-based virtual machines that bypass endpoint security tools. These lightweight VMs use only 120MB disk space and 256MB memory while hosting their custom reverse shell CurlyShell and reverse proxy CurlCat. Bitdefender researchers working with Georgia’s CERT discovered the campaign, which targets judicial and government bodies in Georgia plus an energy company in Moldova. The group configures the VMs to route all traffic through the host machine’s network stack, making malicious communications appear to originate from legitimate IP addresses.
Sponsored content — provided for informational and promotional purposes.
The virtualization loophole
Here’s what’s genuinely clever about this approach: they’re not breaking into systems, they’re using built-in features against us. Hyper-V comes with Windows, and disabling the management interface while keeping the virtualization running is like having a secret room in your house that doesn’t show up on the blueprints. The Default Switch network adaptor trick means all their malicious traffic looks exactly like normal host traffic. It’s basically hiding in plain sight.
And this isn’t some theoretical vulnerability – we’re talking about real attacks against government and energy infrastructure. When security researchers say “bypasses EDR,” they mean the very tools organizations pay thousands for become useless. The attackers get root-level persistence through cron jobs, and their custom implants written in C++ using libcurl blend right into normal system activity.
Why this should worry everyone
So here’s the thing: this isn’t just another malware campaign. We’re seeing a fundamental shift in how sophisticated threat actors operate. They’re not trying to beat security tools head-on anymore – they’re finding ways to operate completely outside their visibility. By isolating their malware in a hidden VM, they’ve created a safe space where traditional endpoint detection can’t even see what’s happening.
Remember when everyone thought virtualization was the security solution? Now it’s becoming the attack vector. Curly COMrades is demonstrating what security researchers have warned about for years: as EDR becomes commoditized, attackers are getting smarter about evasion techniques. And let’s be honest – how many organizations are actually monitoring for Hyper-V abuse? Probably close to zero.
The uncomfortable truth about detection
Bitdefender’s detailed analysis shows this group has been active since at least early 2024, and their previous campaigns against Georgia demonstrate consistent targeting of geopolitical interests. But here’s what keeps me up at night: they’re also using PowerShell scripts to inject Kerberos tickets and create local accounts across domain-joined machines. That’s enterprise-level access we’re talking about.
The security industry’s response? “Use multi-layered defense.” Okay, but let’s be real – most organizations barely have their basic endpoint protection configured properly. When attackers are this sophisticated, relying on any single layer is basically security theater. Bitdefender has published IOCs on GitHub, but how many security teams are actually hunting for these specific indicators?
This campaign reveals an uncomfortable truth: our security tools are becoming blind to attacks that use legitimate system features. When everything looks normal because it is normal, just weaponized, where does that leave traditional detection? We’re in for some interesting times ahead.
