The Russian hacker group Curly COMrades is abusing Microsoft Hyper-V in Windows to bypass endpoint detection and response solutions by creating a hidden Alpine Linux-based virtual machine to run malware.
Inside the virtual environment, the threat actor hosted its custom tools, the CurlyShell reverse shell and the CurlCat reverse proxy, which enabled operational stealth and communication.
Curly COMrades is a cyber-espionage threat group believed to be active since mid-2024. Its activities are closely aligned with Russian geopolitical interests.
Bitdefender previously exposed Curly COMrades activities against government and judicial bodies in Georgia, as well as energy firms in Moldova.
With the help of the Georgian CERT, the Romanian cybersecurity firm uncovered more about the threat actor's latest operation.
The researchers found that in early July, after gaining remote access to two machines, Curly COMrades executed commands to enable Hyper-V and disable its management interface.
Microsoft includes the Hyper-V native hypervisor technology that provides hardware virtualization capabilities in Windows (Pro and Enterprise) and Windows Server operating systems, allowing users to run virtual machines (VMs).
"The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," Bitdefender explains in a report shared with BleepingComputer.
CurlCat (left) and CurlShell (right)
Source: Bitdefender
... continue reading