Intro
Russian APT group “Curly COMrades” is leveraging Microsoft Hyper-V to stealthily run malware inside hidden Alpine Linux VMs on Windows hosts. This method bypasses traditional host-based EDR systems and leverages native virtualization features to conceal reverse shells and pivoting tools. The attackers exploited these techniques in real-world operations targeting Georgian and Moldovan infrastructure in mid-2025.
π CVE Context
– No CVE assigned β this is an abuse of legitimate Windows features
– Attack began: July 2025 (confirmed via incident reports)
– Impact: EDR evasion via virtualization boundary and PowerShell-based persistence
– Tools observed: CurlyShell (reverse shell), CurlCat (reverse proxy)
– VM name disguised as ‘WSL’, Alpine Linux used for minimal footprint
– Victims: Government, judiciary, and energy sector targets in Georgia and Moldova
π¬ Exploitation Detail
– Attackers remotely accessed Windows hosts and enabled Hyper-V using PowerShell
– Deployed a headless Alpine Linux VM (~120MB, 256MB RAM) using the “Default Switch”
– VM traffic tunneled through hostβs network stack, appearing to come from the host
# PowerShell to enable Hyper-V silently
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart
π Attacker Behavior Snapshot
– VM was named “WSL” to mimic Windows Subsystem for Linux
– CurlyShell maintained persistence via cron
– CurlCat established a SOCKS proxy for covert pivoting using HTTPS-over-SSH wrapping
𧩠Why This Matters
This technique demonstrates how native OS features like Hyper-V can be misused for stealthy malware deployment. The minimal Alpine Linux VM avoids detection, while attackers blend malicious traffic with normal network behavior.
Exploitation results in:
- EDR evasion through virtualization boundary
- Covert persistence via guest OS cron jobs
- Encrypted HTTPS C2 with host-identity spoofing
𧩠MITRE ATT&CK Mapping
Initial Access: T1078 β Valid Accounts
Execution: T1059 β Command and Scripting Interpreter
Persistence: T1136.001 β Create Account: Local Account
Defense Evasion: T1202 β Indirect Command Execution
Lateral Movement: T1021 β Remote Services
Command and Control: T1572 β Protocol Tunneling
π§ͺ Detection Rules
YARA Rule (Memory/Doc/PCAP)
rule CurlyShell_HTTPS_Backdoor
{
meta:
description = "Detects CurlyShell reverse shell inside Alpine Linux VM"
strings:
$a = "curl -k -X POST https://" nocase
$b = "/bin/sh" nocase
condition:
all of them
}
Suricata or Zeek (Network)
alert http any any -> any any (msg:"CurlyShell HTTPS POST to C2"; content:"POST"; http_method; content:"curl"; content:"/bin/sh"; sid:42025;)
Sigma Rule (SIEM/EDR)
title: Hyper-V Enabled and VM Deployed
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Enable-WindowsOptionalFeature'
- 'Microsoft-Hyper-V'
condition: selection
fields:
- CommandLine
- ParentImage
- User
π Detection Strategies
β Network Detection:
- Look for unusual HTTPS POST traffic from Windows hosts to unknown C2
- Detect curl-style payload patterns using protocol decoders in Zeek or Suricata
- Flag unknown TLS SNI hosts in environments that rarely use curl/libcurl
β Endpoint Detection:
- Hyper-V enabled unexpectedly (audit Windows Features changes)
- VM creation using PowerShell on non-IT admin machines
- LSASS access attempts or ticket injections without associated user actions
- PowerShell creating new local accounts via Group Policy mechanisms
β‘ Splunk Query
index=win_logs sourcetype=WinEventLog:Security OR WinEventLog:Microsoft-Windows-Sysmon
(CommandLine="*Enable-WindowsOptionalFeature*" AND CommandLine="*Microsoft-Hyper-V*")
OR (CommandLine="*New-LocalUser*" OR CommandLine="*Invoke-Command*" AND CommandLine="*LSASS*")
| stats count by ComputerName, User, CommandLine
π οΈ SOC Detection Strategy
– Alert on Hyper-V enablement across non-admin endpoints
– Prioritize EDR alerts showing VM processes communicating via HTTPS
– Set correlation rules for PowerShell spawning account creation events and LSASS access
– Triage: high severity if Hyper-V + account creation + LSASS access seen together
π οΈ Tools & Techniques
Tool | Usage
Sysmon | Monitor PowerShell, VM creation, and network stack traffic
Velociraptor | Hunt for cron jobs or Alpine indicators
Zeek | Detect curl/libcurl behaviors over encrypted channels
Sigma/YARA | Correlate guest VM behavior and persistence methods
π‘οΈ Mitigation & Response
– Disable Hyper-V where not required
– Audit for newly created virtual switches and VMs
– Block outbound HTTPS to unknown domains from non-browser processes
– Rotate credentials if LSASS access observed
– Check Group Policy logs for unauthorized account creation scripts
π Incident Response Snippets
– `Get-WindowsOptionalFeature -Online | Where-Object {$_.FeatureName -like “*Hyper-V*”}`
– Search `C:\ProgramData\Microsoft\Windows\Hyper-V` for unusual files
– Grep Zeek logs for `curl` and `POST` from unexpected hosts
– Interview domain admins about GPO changes if new users appeared
π Suggested Reading & External References
– https://www.bleepingcomputer.com/news/security/russian-hackers-abuse-hyper-v-to-hide-malware-in-linux-vms/
– https://www.bitdefender.com/blog/labs/curly-comrades-hyperv-report/
– https://attack.mitre.org/
π EMS Lens: Field Insight
Like checking vitals on a patient with no visible trauma, this threat hides beneath the surface β quiet, deadly, and often overlooked. When telemetry is fragmented, and nothing obvious presents, curiosity becomes your best diagnostic tool. Donβt ignore silent indicators like Hyper-V activity where there should be none.
πΎοΈ Final Thoughts
– Attackers exploited native Windows features to build a hidden Alpine Linux VM
– Most effective action now: Audit for unexpected Hyper-V role activations and traffic
– Detection is field work β if you donβt go looking, you wonβt see it.
Published: November 4, 2025
Ramblings of a CyberSecurity Nerd 
Leave a comment