Curly COMrades Use Hyper-V to Hide Linux VM and Evade EDR Detection

First reported

06.11.2025 09:22

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The threat actor Curly COMrades has been observed using Windows Hyper-V to deploy a minimalistic Alpine Linux-based virtual machine. This VM hosts custom malware, including CurlyShell and CurlCat, to evade EDR detection and maintain persistent access. The attacks target Georgia and Moldova, with activity dating back to late 2023. The adversary uses various tools for data transfer, remote access, credential harvesting, and command execution. The hidden VM environment, with a lightweight footprint, allows the threat actor to bypass traditional security solutions and maintain a reverse proxy capability.

Timeline

06.11.2025 09:22 1 articles · 4d ago

Curly COMrades Deploy Hyper-V-Based Linux VM to Evade Detection
Curly COMrades has been observed using Windows Hyper-V to deploy a minimalistic Alpine Linux-based VM. This VM hosts custom malware, including CurlyShell and CurlCat, to evade EDR detection and maintain persistent access. The attacks target Georgia and Moldova, with activity dating back to late 2023. The adversary uses various tools for data transfer, remote access, credential harvesting, and command execution. The hidden VM environment allows the threat actor to bypass traditional security solutions and maintain a reverse proxy capability.
Show sources

Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection — thehackernews.com — 06.11.2025 09:22
Open in new tab

Information Snippets

Curly COMrades uses Windows Hyper-V to deploy a minimalistic Alpine Linux-based VM.
First reported: 06.11.2025 09:22

1 source, 1 article
Show sources
- Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection — thehackernews.com — 06.11.2025 09:22
The VM hosts custom malware, including CurlyShell and CurlCat, to evade EDR detection.
First reported: 06.11.2025 09:22

1 source, 1 article
Show sources
- Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection — thehackernews.com — 06.11.2025 09:22
The attacks target Georgia and Moldova, with activity dating back to late 2023.
First reported: 06.11.2025 09:22

1 source, 1 article
Show sources
- Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection — thehackernews.com — 06.11.2025 09:22
The adversary uses tools like CurlCat, RuRat, Mimikatz, and MucorAgent.
First reported: 06.11.2025 09:22

1 source, 1 article
Show sources
- Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection — thehackernews.com — 06.11.2025 09:22
The hidden VM environment allows the threat actor to bypass traditional security solutions.
First reported: 06.11.2025 09:22

1 source, 1 article
Show sources
- Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection — thehackernews.com — 06.11.2025 09:22
CurlyShell and CurlCat share a largely identical code base but handle data differently.
First reported: 06.11.2025 09:22

1 source, 1 article
Show sources
- Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection — thehackernews.com — 06.11.2025 09:22

Summary

Timeline

Curly COMrades Deploy Hyper-V-Based Linux VM to Evade Detection

Information Snippets