According to TheRegister.com, Russian hacking group Curly COMrades is exploiting Microsoft’s Hyper-V hypervisor to create hidden Alpine Linux-based virtual machines that completely bypass endpoint security tools. The campaign, uncovered by Bitdefender researchers working with Georgia’s CERT team, began in July 2024 and targets judicial and government bodies in Georgia plus an energy company in Moldova. These invisible VMs use just 120MB disk space and 256MB memory, hosting custom malware including CurlyShell reverse shell and CurlCat reverse proxy. By isolating malware execution within these hidden VMs, the attackers effectively bypass traditional host-based EDR detections. The technique makes all malicious traffic appear to originate from legitimate host machines, giving Russian spies long-term network access for snooping and deploying additional malware.
Sponsored content — provided for informational and promotional purposes.
Why this matters
Here’s the thing: we’re seeing a fundamental shift in how sophisticated threat actors operate. They’re not just writing better malware anymore – they’re weaponizing legitimate system tools that are already trusted by security products. Microsoft’s Hyper-V? That’s supposed to be a security feature, not an attack vector. But Curly COMrades figured out how to turn it into their personal hiding spot.
And this isn’t some theoretical vulnerability. They’re actually using this in the wild against government targets. When you can make your malware run in a completely separate environment that security tools don’t even see, you’ve basically won the stealth game. The fact that they’re targeting judicial systems and energy infrastructure tells you everything about their intentions.
The bigger trend
This is part of a much larger pattern that should worry every security team. As Bitdefender researcher Victor Vrabie noted, EDR and XDR solutions are becoming commodity tools – which means attackers are getting really good at bypassing them. We’re seeing this across the board: ransomware gangs with EDR killers, nation-states using living-off-the-land techniques, and now VM isolation.
Think about it: if your security tools are designed to detect suspicious processes and behaviors on the host operating system, what happens when the bad stuff isn’t running on the host at all? It’s like trying to catch a burglar who’s figured out how to walk through walls without leaving any traces.
What comes next
So where does this leave us? Basically, the old “detect and respond” model is showing its limitations. Bitdefender’s recommendation for a multi-layered, defense-in-depth strategy isn’t just corporate speak – it’s becoming essential. You can’t just rely on endpoint detection anymore when attackers are this creative with system abuse.
The good news is that Bitdefender has published detailed indicators of compromise that security teams can use to hunt for this specific threat. But the broader lesson is that we need to rethink our entire approach to detection. Maybe we need more VM-aware security tools? Or better monitoring of virtualization features themselves?
One thing’s for sure: as more organizations move toward virtualization and containerization, attackers will keep finding ways to abuse these technologies. The Curly COMrades campaign is just the beginning of this particular evasion technique. We’re going to see a lot more of this in the coming years.
