Hackers exploit Linux VMs on Hyper-V to bypass Windows security detection

Cybercriminal group Curly COMrades leverages lightweight Linux virtual machines on Windows Hyper-V to stealthily deploy malware, prompting calls for enhanced detection and system hardening as this tactic signifies a new evolution in cyber espionage and evasion techniques.

Cybersecurity researchers have identified a sophisticated new tactic employed by hackers to infiltrate Windows systems undetected by traditional endpoint security tools. The Russian hacker group known as Curly COMrades has been exploiting the Microsoft Hyper-V virtualization platform on Windows 10 machines, creating covert Alpine Linux-based virtual machines (VMs) to run malware designed to evade detection by endpoint detection and response (EDR) and antivirus software.

Investigations conducted by Bitdefender in collaboration with the Georgia Computer Emergency Response Center (CERT-GE) reveal that this threat actor has leveraged lightweight Alpine Linux VMs due to their minimal resource requirements, only 120 MB of disk space and 256 MB of RAM. This makes the malicious virtual machines difficult for ordinary users and standard security tools to detect any unusual activity. The hackers deployed custom malware named CurlyShell and CurlCat within these VMs. CurlyShell operates as a reverse shell communicating with command-and-control (C2) servers via HTTPS, while CurlCat establishes reverse proxy tunnels, enabling stealthy remote command execution and persistent access on infected hosts.

The campaign appears to have begun in earnest in early July 2024. Hackers gained initial access, remotely enabled Hyper-V using Deployment Image Servicing and Management (DISM) tools, and subsequently disabled the management interfaces of these virtual machines to prevent elimination. To mislead victims and security tools, attackers named their Linux VMs “WSL,” mimicking the legitimate Windows Subsystem for Linux installations. Moreover, the malicious VMs employed Hyper-V’s internal NAT service for network interfacing, causing outbound malicious traffic to appear as if it originated from the host system itself, further hiding their activity.

The hackers supplemented their operations with various supporting tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods to maintain covert command channels and persistence. Bitdefender researchers point out the critical necessity for EDR solutions to bolster host-based network detection capabilities, which are essential to identify C2 communication emerging from virtual environments. Additionally, they advocate for stronger hardening of native Windows system components to mitigate such abuse.

This attack vector is part of an emerging trend of using Linux-based malware to target Windows environments in an effort to bypass conventional detection methods. A similar technique was recently documented by Trend Micro in the Qilin ransomware campaign, where operators exploited the Windows Subsystem for Linux (WSL) feature to execute Linux-based ransomware on compromised Windows endpoints. The shift towards Linux VMs and subsystems allows cybercriminals to exploit less scrutinised attack surfaces with greater stealth.

The primary targets of the Curly COMrades group have been government and judicial entities in Georgia, as well as energy sector firms in Moldova, regions of geopolitical significance and sensitivity for Russia. While no formal linkage has been confirmed to known Russian advanced persistent threat (APT) groups, the operations and targets align closely with Russian geopolitical interests, particularly following ongoing tensions since the annexation of Crimea in 2014.

The discovery of this campaign underscores an evolution in cyberespionage tactics where attackers leverage virtualization technologies not just for operational convenience but to circumvent rigorous security defences at the host level. Security experts urge organisations to adopt more advanced monitoring of virtual environments and network behaviours, alongside reinforcing endpoint hardening, to counter these emerging threats effectively.

📌 Reference Map:

• ^[1], ^[5], ^[7] (How2Shout) – Paragraphs 1, 3, 5, 7
• ^[2] (TechRadar) – Paragraphs 1, 2, 4, 6
• ^[3] (TechRadar) – Paragraph 6
• ^[4], ^[6] (BleepingComputer) – Paragraphs 2, 3, 4

Source: Fuse Wire Services