Executive Summary
In early 2024, the pro-Russian threat group known as Curly Comrades leveraged Linux virtual machines within Windows environments to bypass security controls and evade detection. By deploying Linux VMs on compromised Windows hosts, the attackers concealed their activities, used native tools for lateral movement, and exfiltrated sensitive data without triggering traditional endpoint or network monitoring. This novel cross-OS technique allowed extended dwell time and left organizations vulnerable to espionage, data loss, and operational disruption.
This incident is especially relevant given the continuing evolution of threat actor tactics, including living-off-the-land and virtualization abuse. Organizations must adapt defenses to anticipate adversaries' creative use of multi-platform infrastructures and strengthen their east-west visibility to prevent stealthy attacks.
Why This Matters Now
This breach highlights the urgent need for organizations to monitor and secure not just Windows assets but also virtualized and hybrid infrastructures. As sophisticated attackers blend platforms to hide malicious activity, traditional security tools may miss cross-OS threats—making advanced visibility, segmentation, and threat detection essential right now.
Attack Path Analysis
Curly COMrades initially compromised Windows environments, likely via phishing or exploitation of vulnerable remote access points, then deployed and leveraged hidden Linux VMs to escalate privileges within the compromised infrastructure. Using these Linux VMs, they traversed internal network boundaries to laterally move between Windows and Linux assets, blending in with legitimate east-west traffic. The attackers established persistent command and control channels, potentially using encrypted or covert communications to evade detection. Sensitive data was exfiltrated from compromised systems, with Linux VMs acting as staging hosts to bypass outbound controls. Ultimately, the operation's impact involved undetected spying and potential data theft, with disruption or destructive actions left as potential objectives.
Kill Chain Progression
Initial Compromise
Description
Attackers gained initial access to the Windows environment, likely via phishing, weak credentials, or exposed remote access, before deploying covert Linux VMs within victim networks.
Related CVEs
CVE-2025-8875
CVSS 9.8A command execution vulnerability in N-able N-central allows unauthenticated remote attackers to execute arbitrary commands.
Affected Products:
N-able N-central – < 2025.3.1
Exploit Status:
exploited in the wildCVE-2025-8876
CVSS 8.8A command injection vulnerability in N-able N-central allows authenticated remote attackers to execute arbitrary commands.
Affected Products:
N-able N-central – < 2025.3.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Hide Artifacts: Virtualization/Sandbox Evasion
Command and Scripting Interpreter: Unix Shell
Indicator Removal on Host: File Deletion
Execution through API
Virtualization/Sandbox Evasion: System Checks
User Execution
Event Triggered Execution: Unix Shell Configuration Modification
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement automated audit trails
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Continuous Device Monitoring
Control ID: Monitor and Inspect – Devices
NIS2 Directive – Incident Handling and Response
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Pro-Russian APT using Linux VMs creates critical east-west traffic risks, threatening encrypted transactions and requiring enhanced Zero Trust segmentation for compliance.
Government Administration
State-aligned Curly COMrades APT poses severe national security risks through undetected lateral movement, demanding immediate threat detection and anomaly response capabilities.
Information Technology/IT
Linux VM hiding techniques exploit cloud infrastructure vulnerabilities, necessitating multicloud visibility controls and Kubernetes security for service provider environments.
Health Care / Life Sciences
APT lateral movement threatens HIPAA compliance through compromised east-west traffic, requiring encrypted HPE solutions and comprehensive egress security enforcement.
Sources
- Pro-Russian Hackers Use Linux VMs to Hide in Windowshttps://www.darkreading.com/endpoint-security/pro-russian-hackers-linux-vms-hide-windowsVerified
- Russian hackers abuse Hyper-V to hide malware in Linux VMshttps://www.bleepingcomputer.com/news/security/russian-hackers-abuse-microsoft-hyper-v-to-hide-malware-in-vms/Verified
- Russian hackers hit Windows machines via Linux VMs with new custom malwarehttps://www.techradar.com/pro/security/russian-hackers-hit-windows-machines-via-linux-vms-with-new-custom-malwareVerified
- Russian spies pack custom malware into hidden VMs on Windows machineshttps://www.theregister.com/2025/11/04/russian_spies_pack_custom_malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive CNSF controls—such as zero trust segmentation, east-west traffic security, egress policy enforcement, and continuous threat detection—would restrict adversary lateral movement, block unauthorized outbound data flows, and provide visibility into covert VM activity, breaking the kill chain at multiple points.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection and alerting of anomalous remote access or initial unauthorized activity.
Control: Zero Trust Segmentation
Mitigation: Limited attacker ability to escalate privileges or deploy unmanaged workloads in protected segments.
Control: East-West Traffic Security
Mitigation: Stops or detects unauthorized internal traffic between workloads, curbing lateral spread.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks suspicious outbound connections and prevents rogue command-and-control traffic.
Control: Cloud Firewall (ACF) & Inline IPS (Suricata)
Mitigation: Detects or prevents malicious data exfiltration attempts via network-based filtering and signature inspection.
Enables quick detection and response to ongoing impact or disruptive actions.
Impact at a Glance
Affected Business Functions
- Government Operations
- Energy Distribution
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive government and energy sector data, including operational details and strategic plans.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation to restrict lateral movement paths between and within workloads, including across OS boundaries.
- • Deploy continuous east-west traffic monitoring and anomaly detection to flag covert VM deployments and unauthorized traffic flows.
- • Strengthen egress and outbound policy enforcement to prevent covert command and control as well as data exfiltration routes.
- • Implement centralized, cloud-native visibility for rapid detection of shadow IT assets such as unmanaged Linux VMs.
- • Use automated inline controls such as cloud firewalls and IPS to block known C2 patterns and anomalous outbound transfer attempts in real time.
