Evasion and Persistence via Hidden Hyper-V Virtual Machines

Nov. 5, 2025, 9:49 a.m.

Description

This investigation uncovered new tools and techniques used by the Curly COMrades threat actor to establish covert, long-term access to victim networks. The attackers exploited Hyper-V virtualization on compromised Windows 10 machines to create hidden remote operating environments. They deployed a minimalistic Alpine Linux-based virtual machine hosting custom malware for reverse shell and proxy operations. This approach effectively bypassed traditional host-based EDR detections. The threat actor also demonstrated persistence through PowerShell scripts, Kerberos ticket manipulation, and local account creation. International collaboration with the Georgian CERT aided in analyzing the command and control infrastructure.

External References

https://businessinsights.bitdefender.com/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machines
https://otx.alienvault.com/pulse/690b1894c92da49dff19e600
Tags
evasion
powershell
persistence
lateral movement
proxy
reverse shell
virtualization
2025-11-05
hyper-v
kerberos
alpine linux
curlcat
curlyshell

Date

  • Created: Nov. 5, 2025, 9:27 a.m.
  • Published: Nov. 5, 2025, 9:27 a.m.
  • Modified: Nov. 5, 2025, 9:49 a.m.

Indicators

  • 45.43.91.10
  • 194.87.245.239
  • 77.221.137.132.sslip.io
  • yohi.cc
Download all indicators here!

Attack Patterns

  • CurlCat
  • CurlyShell
  • Curly COMrades

Additional Informations

  • South Georgia and the South Sandwich Islands
  • Georgia