Imagine discovering that your computer has been silently hijacked, not by a simple virus, but by a sophisticated, state-backed operation hiding in plain sight. That's exactly what's happening with a new wave of Russian cyber espionage. Russian hackers, known as Curly COMrades, have devised a cunning method to infiltrate Windows machines by exploiting Microsoft's Hyper-V hypervisor. But here's where it gets controversial: they're using this legitimate tool to create a hidden virtual machine (VM) running Alpine Linux, which effectively bypasses most endpoint security measures. This stealthy approach grants them long-term access to networks, allowing them to spy and deploy custom malware without detection.
In a recent report, Bitdefender's senior security researcher, Victor Vrabie, revealed that this hidden VM is remarkably lightweight, requiring only 120MB of disk space and 256MB of memory. It hosts two custom tools: CurlyShell, a reverse shell, and CurlCat, a reverse proxy. These tools enable the attackers to maintain persistent access and mask their activities as legitimate network traffic. And this is the part most people miss: by isolating their malware within a VM, the attackers cleverly evade traditional host-based security solutions, making detection nearly impossible.
This campaign, uncovered in collaboration with the Georgian Computer Emergency Response Team (CERT), highlights a disturbing trend: threat actors are increasingly leveraging legitimate virtualization technologies to outsmart endpoint detection and response (EDR) systems. Bitdefender has been tracking Curly COMrades since 2024, linking their activities to Russian geopolitical interests, though they haven’t explicitly tied the group to the Russian government. In August, the group targeted judicial and government bodies in Georgia, as well as an energy company in Moldova. Their latest campaign, which began in July, involves remotely enabling Hyper-V on compromised machines, downloading the Alpine Linux-based VM, and configuring it to route all malicious traffic through the host machine’s IP address, effectively hiding their tracks.
The VM contains two implants: CurlyShell, which ensures persistence through a cron job, and CurlCat, which disguises SSH traffic as standard HTTP requests. Interestingly, the attackers used a Georgian website as their command-and-control (C2) server in this campaign. But here’s a thought-provoking question: as EDR solutions become more widespread, are we seeing the rise of a new arms race in cybersecurity, where attackers continuously innovate to bypass defenses?
In addition to the malware, the researchers discovered two types of PowerShell scripts linked to Curly COMrades. One script injects a Kerberos ticket into LSASS, enabling remote authentication, while the other creates a persistent local account across domain-joined machines. This level of sophistication underscores a critical trend: threat actors are increasingly adept at bypassing EDR/XDR solutions, often by exploiting native system tools and legitimate products. Ransomware gangs, in particular, are incorporating 'EDR killers' into their arsenals to neutralize endpoint security.
To combat these evolving threats, Bitdefender and other experts advocate for a multi-layered, defense-in-depth strategy. Relying solely on endpoint detection is no longer sufficient, as it often fails to identify the misuse of legitimate tools. Bitdefender has also released a comprehensive list of Curly COMrades indicators of compromise (IOCs) on their GitHub repository, providing valuable resources for defenders.
But here’s the real question: As cyber espionage becomes increasingly sophisticated, are our current security measures enough? Or are we always one step behind? Share your thoughts in the comments—let’s spark a discussion on how we can stay ahead in this ever-evolving cybersecurity landscape.
