Inside the Virtual Matrix. An Illuminating Read for Saturday, 8th November 2025.

When Cats Go Curly: Russian Hackers Go Virtual

Windows, why face malware when it can avoid your watchful eye altogether?

What You Need to Know

Russian hackers, known as Curly COMrades, have exploited Microsoft's Hyper-V feature to deploy hidden Linux virtual machines (VMs) within Windows systems. This tactic provides a sanctuary for running malware, evading Windows-based security measures. Executive teams should prioritize tightening virtualization security protocols immediately, and ensure CISO teams are briefed on counter-measures against virtualized threats.

CISO Focus: Virtualization Security
Sentiment: Negative
Time to Impact: Immediate

The world of cybersecurity is no stranger to innovation—unfortunately, that innovation isn’t confined to the good guys. The recent revelation that Russian hackers, dubbed "Curly COMrades," have utilized Microsoft's Hyper-V virtualization features to execute cyber attacks using hidden Linux virtual machines (VMs) is a striking example of this reality. This development might sound like a scene out of a cyberpunk thriller, but for cybersecurity professionals, it’s anything but entertaining.

Hidden in Plain Sight

The core of this strategy lies in leveraging Microsoft's Hyper-V, a widely used virtualization technology. By embedding a miniature Alpine Linux-based VM within a Windows environment, the hackers essentially construct an unseen realm. Within this concealed kingdom, malicious tools operate without fear of interference from traditional Windows security protocols.

The hackers capitalize on the fact that malware-affected Windows-only defenses often overlook operations within a VM, assuming they're secure by design. By exploiting this oversight, the attackers employ the VM to covertly host tools like CurlyShell and CurlCat. These facilitate reverse shell and proxy operations, granting the adversaries near-complete control over the compromised systems.

A Minimal Footprint

Perhaps the most unsettling aspect of this approach is its efficiency. The VM, based on the lightweight Alpine Linux, occupies a mere 120 MB of disk space and 256 MB of RAM—trivial footprints in today’s hardware. This allows it to run smoothly alongside the host’s operations, making detection even more challenging for typical security setups.

By configuring the VM to use the host’s IP address via the Default Switch network adaptor, any outbound malicious activity appears legitimate, further camouflaging the attackers’ efforts.

Implications of the Hyper Attack

This novel tactic significantly complicates the landscape for threat hunters and cybersecurity practitioners. Traditional detection systems focus on anomalies within the Windows OS, but with threats now operating under the guise of separate virtual environments, these systems find themselves barking up the wrong tree.

For organizations relying on Windows infrastructure, this demonstrates an urgent need for the reassessment of their virtualization security measures. It's no longer just about securing the OS; the internal environments now require an equivalent level of scrutiny.

Security Community Rallying Cry

In light of these developments, the cybersecurity community has called for immediate adaptability and enhanced vigilance. Windows systems must ensure that Hyper-V is not automatically enabled without substantial monitoring in place. Furthermore, tools capable of scanning activities on VMs, previously considered a luxury, are becoming a necessity.

Advanced endpoint detections systems that can assess behaviors both inside and outside VMs must be considered. Once again, the dependency on vigilance, early detection, and rapid response underpins the defense against increasingly sophisticated cyber adversaries.

In modern cybersecurity, sometimes the cat is both in and outside the Windows—but more importantly, how do you catch it?

Vendor Diligence Questions

1. How does your solution address the detection and mitigation of threats operating within virtual machine environments, particularly those leveraging Hyper-V in Windows systems?
2. Can your endpoint security offerings integrate with existing infrastructure to enhance monitoring of virtualized environments married to Windows OS?
3. What proactive measures do you recommend for continuous auditing and hardened security policies in relation to Hyper-V-enabled systems?

Action Plan

• Immediate Review: Conduct an exhaustive review of current virtualization settings and traffic patterns to identify any unauthenticated VMs appearing within network ecosystems.
• Tool Integration: Deploy or upgrade to advanced endpoint detection systems capable of scanning active VMs in parallel with standard OS scanning operations.
• Training & Awareness: Conduct organization-wide training sessions highlighting the new threat landscape, emphasizing vigilance against unseen threats, particularly when dealing with OS virtualization technologies.

Source: https://cybernews.com/security/russian-hackers-abuse-microsoft-hyperv-to-run-linux/

CISO Intelligence is lovingly curated from open source intelligence newsfeeds and is aimed at helping cybersecurity professionals be better, no matter what their stage in their career.

We’re a small startup, and your subscription and recommendation to others is really important to us.

Thank you so much for your support.

CISO Intelligence by Jonathan Care is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International