Russian hacker group Curly COMrades is leveraging Microsoft Hyper-V to create hidden Linux virtual machines for covert malware operations. Their tactics include bypassing detection and maintaining stealth with custom tools like CurlyShell and CurlCat. #CurlyCOMrades #HyperV #CyberEspionage
Keypoints
- Curly COMrades use Hyper-V to deploy hidden Alpine Linux VMs for malicious activities.
- The group hosts custom tools, CurlyShell and CurlCat, inside these virtual environments for stealth communication.
- The attack enables bypassing host-based endpoint detection and response solutions.
- Malicious traffic appears to originate from legitimate host IPs by passing through the hostβs network stack.
- Advanced techniques such as PowerShell scripts and encrypted payloads enhance operational security.