Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Curly COMrades hides malware in a Hyper-V Alpine Linux VM to evade EDR

Technical Analysis
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

Researchers identified Curly COMrades using Windows Hyper-V to hide a minimal Alpine Linux virtual machine on compromised Windows 10 hosts, a setup that can bypass host-based EDR and preserve remote control. The hidden guest ran CurlyShell and CurlCat, giving the operators a covert execution layer for commands and proxying. The technique matters because it turns a legitimate virtualization feature into a persistence and evasion mechanism.

Related Happenings

UNC6201 Dell RecoverPoint for Virtual Machines zero-day campaign

Campaign
First: 17.02.2026 22:15 Last: 17.02.2026 22:15 Sources 1

About this happening: The **UNC6201** campaign has been exploiting a **Dell zero-day** since **mid-2024**, creating a sustained risk of unauthorized access and stealthy movement across victims' virtual...

Latest development: 19.02.2026 17:30

CISA added CVE-2026-22769 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to secure affected Dell RecoverPoint systems by Saturday, February 21, after Mandiant and Google Threat Intelligence Group (GTIG) said UNC6201 had exploited the flaw since at least mid-2024.

Open Happening

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
First: 04.02.2026 19:24 Last: 04.02.2026 19:24 Sources 1

About this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...

Open Happening

Kraken ransomware HelloKitty-linked double-extortion campaign

Campaign
First: 14.11.2025 00:53 Last: 14.11.2025 00:53 Sources 1

About this happening: **Kraken ransomware** is an active **double-extortion** campaign linked to the **HelloKitty** ecosystem and observed in **August 2025** using **SMB exploitation**, **Cloudflare**...

Open Happening

Akira ransomware Linux encryptor expands to Nutanix AHV VM disk encryption

Malware Activity
First: 14.11.2025 00:32 Last: 14.11.2025 00:32 Sources 1

About this happening: The **Akira ransomware** operation has expanded its encryptor to **Nutanix AHV** VM disks, increasing the range of virtualized environments that can be encrypted during intrusions...

Open Happening

Storm-2603 Velociraptor-abuse ransomware campaign

Campaign
First: 09.10.2025 22:31 Last: 09.10.2025 22:31 Sources 1

About this happening: The **Storm-2603** campaign abuses **Velociraptor** as an intrusion enabler during **ransomware attacks**, using an outdated **Velociraptor 0.73.4.0** instance vulnerable to **CVE...

Open Happening

Timeline

  1. 06.11.2025 09:22 2 articles · 6mo ago

    Curly COMrades hides CurlyShell in Hyper-V Alpine Linux VM

    Technical Analysis Update

    Bitdefender reported that Curly COMrades enabled the Hyper-V role on compromised Windows 10 hosts to deploy a hidden Alpine Linux-based virtual machine that hosted CurlyShell and CurlCat. The minimal guest environment, described as using 120MB disk space and 256MB memory, let the operators run a persistent reverse shell, proxy traffic, and bypass many host-based EDR detections while keeping long-term access with tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, SSH-based methods, RuRat, Mimikatz, and MucorAgent.

    Show sources
    Open in new tab