Russian hackers are getting creative with their espionage tactics, and it's a cause for concern. They've found a way to hide their malicious activities right under our noses, using a sneaky trick with virtual machines (VMs). But here's the twist: they're not just using any old VM; they're abusing Microsoft's Hyper-V hypervisor to create a covert Alpine Linux VM, making it incredibly difficult to detect.
Bitdefender's Victor Vrabie revealed that this hidden VM, with its minimal resource usage, is the perfect disguise for the hackers' custom malware, named CurlyShell and CurlCat. These tools allow the spies to maintain a stealthy presence and deploy further malicious activities.
The discovery was made by Bitdefender and the Georgian CERT, who uncovered a sophisticated malware campaign. The hackers are exploiting virtualization technology to slip past endpoint security measures, leaving traditional detection methods in the dust. By isolating the malware within a VM, they've created a hidden sanctuary for their malicious activities.
Bitdefender has been tracking this group, known as Curly COMrades, since 2024. While they support Russian geopolitical interests, their exact ties to the Russian government remain unclear. The group has targeted government bodies and critical infrastructure, including a recent campaign in Georgia and Moldova.
In the latest campaign, the hackers remotely enabled Hyper-V on compromised machines and downloaded their custom VM. The VM was configured to use the host's network stack, making all malicious traffic appear to come from the legitimate host machine. This clever trick makes it incredibly challenging to trace the source of the attack.
The malware includes two components: CurlyShell, a new reverse shell, and CurlCat, a previously documented reverse proxy. Both are designed to evade detection and provide the hackers with persistent access. The attackers even used a Georgian website as a command-and-control server, adding another layer of deception.
But that's not all. The researchers also found PowerShell scripts linked to Curly COMrades, which enable remote authentication and create backdoors for persistent access. This level of sophistication highlights a growing trend: threat actors are becoming experts at bypassing EDR/XDR solutions through advanced techniques like VM isolation.
Ransomware gangs, in particular, are also adopting these tactics, making endpoint security even more challenging. To combat this, security experts recommend a multi-layered defense strategy, as traditional threat detection methods often fail to identify the abuse of legitimate system tools.
And this is where it gets controversial: should we be concerned about the potential misuse of virtualization technologies by malicious actors? How can we balance the benefits of virtualization with the risks it introduces? Share your thoughts in the comments, but remember to keep the discussion respectful and constructive.
