The Rise of Virtualized Stealth: How Hackers are Hiding Malware in Plain Sight

Over 40% of organizations now utilize virtualization technologies like Microsoft Hyper-V, creating a powerful new blind spot for cybersecurity teams. A recently uncovered campaign by the Russian-linked hacking group, Curly COMrades, demonstrates a sophisticated technique: deploying malware within hidden virtual machines to evade detection. This isn’t a theoretical threat; it’s a rapidly evolving tactic that demands a fundamental shift in how we approach endpoint security.

Curly COMrades: A Geopolitically Motivated Espionage Group

The threat actor, dubbed Curly COMrades, has been active since mid-2024 and is believed to align with Russian geopolitical interests. Bitdefender, with assistance from the Georgian CERT, exposed the group’s activities targeting government, judicial, and energy sectors in Georgia and Moldova. Their latest operation leverages the built-in capabilities of Windows to create a concealed environment for malicious activity. This highlights a growing trend: attackers are increasingly exploiting legitimate system features for nefarious purposes, making detection significantly harder.

Hyper-V as a Hiding Place: A Technical Deep Dive

Curly COMrades gains access to target systems and then enables Microsoft’s **Hyper-V** virtualization technology. Crucially, they disable the management interface, obscuring the VM’s presence. Within this hidden Alpine Linux-based virtual machine – remarkably small at just 120MB and 256MB of memory – they deploy their custom tools: CurlyShell, a reverse shell, and CurlCat, a reverse proxy. This allows them to establish command and control (C2) communication while minimizing their footprint on the host system.

Bypassing Endpoint Detection and Response (EDR)

The key to this technique’s success lies in evasion. Traditional host-based EDR solutions often lack the deep network inspection capabilities needed to detect C2 traffic originating from within a VM. By routing all outbound communication through the host’s network stack, the attackers effectively mask the malicious activity, making it appear as legitimate traffic from the compromised machine. The attackers cleverly named the VM ‘WSL’ – alluding to the Windows Subsystem for Linux – hoping to blend in with legitimate system processes.

Custom Malware: CurlyShell and CurlCat

The tools deployed by Curly COMrades are specifically designed for stealth and persistence. CurlyShell, built on libcurl, executes commands within the Alpine VM and maintains access via a cron job. CurlCat acts as a covert SOCKS proxy, tunneling traffic through HTTPS requests, allowing the attackers to pivot across networks while blending with normal web traffic. This technique, known as traffic morphing, is becoming increasingly common as security tools improve at identifying known C2 patterns.

PowerShell for Persistence and Lateral Movement

Beyond the virtualized malware, Curly COMrades also utilizes PowerShell for persistence and lateral movement. They inject Kerberos tickets into LSASS (Local Security Authority Subsystem Service) to authenticate to remote systems and execute commands. Additionally, they deploy a PowerShell script via Group Policy to create local accounts across the domain, establishing a foothold for long-term access. This demonstrates a multi-faceted approach, combining virtualization with established post-exploitation techniques.

The Future of Evasion: What’s Next?

The Curly COMrades campaign isn’t an isolated incident. The use of virtualization for malware concealment is likely to increase as attackers seek to bypass increasingly sophisticated security measures. We can anticipate several key trends:

• Increased Use of Nested Virtualization: Attackers may deploy VMs within VMs, further complicating detection.
• Exploitation of Other Virtualization Platforms: While Hyper-V is currently the focus, attackers will likely explore other virtualization technologies like VMware and VirtualBox.
• AI-Powered Evasion: Machine learning could be used to dynamically adjust malware behavior within VMs to avoid detection by AI-powered security tools.
• Containerization as a Hiding Place: Similar to VMs, containers (like Docker) offer a lightweight virtualization option that could be exploited for stealth.

Protecting Your Organization: A Proactive Approach

Defending against these advanced threats requires a layered security strategy. Organizations should prioritize monitoring for abnormal Hyper-V activation, unusual LSASS access patterns, and PowerShell scripts deployed via Group Policy that create new accounts or reset passwords. Investing in EDR solutions with robust network inspection capabilities is crucial, as is implementing network segmentation to limit the blast radius of a potential breach. Furthermore, regular threat hunting exercises can help identify and mitigate hidden threats before they cause significant damage. Bitdefender’s research provides valuable insights into this evolving threat landscape.

What proactive steps is your organization taking to detect and respond to threats hiding within virtualized environments? Share your strategies in the comments below!