A recent investigation by Bitdefender reveals how the pro-Russian hacker group Curly COMrades uses innovative methods to remain undetected for long periods of time within Windows environments. The group, which according to the researchers operates in line with Russian geopolitical interests, uses hidden Linux virtual machines to bypass detection by traditional security measures.
The investigation, conducted in collaboration with the Georgian CERT, revealed that the attackers exploit Hyper-V, the built-in virtualization technology of Windows 10. After gaining access to a target, they activate Hyper-V but disable the management tools to prevent monitoring by system administrators.
They then use carefully scripted CMD and PowerShell commands to download a small RAR archive that masquerades as a video file. That archive contains the configuration files and virtual disk of a pre-configured Alpine Linux environment, which is automatically imported and started.
It is noteworthy that the attackers name the virtual machine WSL, which refers to the Windows Subsystem for Linux. This naming is intended to avoid suspicion, as WSL is a trusted tool for developers. In reality, however, the malware runs in a completely isolated Hyper-V environment that is beyond the reach of the host and most endpoint detection and response solutions.
Malware invisible to detection systems
Within this miniature Linux installation, which uses only 120 MB of disk space and 256 MB of memory, two core components run: CurlyShell, a persistent reverse shell, and CurlCat, a tool for hiding network traffic. Because the traffic runs through the Windows host’s IP address, it appears to security systems to come from a legitimate source. According to DarkReading, Bitdefender emphasizes that this is the main strength of the method: by performing activities in a separate virtual layer, they remain invisible to most detection systems.
The researchers also discovered that the attackers keep their infrastructure flexible. In addition to their own tooling, they use a range of existing proxy and tunneling methods, including Ligolo-ng, CCProxy, Stunnel, and SSH. The virtual machine also appeared to be specifically tailored to the target: files such as /etc/hosts and /etc/resolv.conf were configured to communicate with the attackers’ command-and-control servers.
Bitdefender also found PowerShell scripts that inject Kerberos tickets into the LSASS process, enabling external authentication, and scripts that create local accounts via Group Policy for persistent access.
According to Bitdefender, these findings demonstrate how attackers are using legitimate functions to evade detection as EDR solutions become increasingly sophisticated. By isolating malware within a virtual layer, it remains hidden from traditional security. Organizations are advised to broaden their defenses with network-based inspection and proactive hardening so that hidden activities such as those of Curly COMrades can be better detected.