Executive Summary
In October 2025, the advanced persistent threat group Curly COMrades launched a sophisticated attack campaign exploiting Windows Hyper-V virtualization to evade endpoint detection and response (EDR) solutions. By covertly enabling Hyper-V on targeted systems, attackers deployed a minimal Alpine Linux-based virtual machine (VM) hidden within Windows hosts. This VM served as an isolated enclave to execute custom malware and facilitate command-and-control activities, significantly complicating detection and forensics for defenders. Victims experienced unauthorized data access and increased potential for lateral movement, while standard EDR tools failed to monitor the malicious payloads running inside the guest VM.
This attack highlights a growing trend of leveraging virtualization and container technologies to bypass security controls. As organizations increasingly adopt hybrid and multi-cloud environments, adversaries are developing novel methods to mask malicious operations from traditional detection mechanisms, underscoring the need for advanced visibility and zero trust segmentation.
Why This Matters Now
The exploitation of virtualization platforms for stealthy attacks is escalating, posing urgent challenges for defending modern cloud and hybrid infrastructures. Without enhanced east-west traffic monitoring and identity-based segmentation, organizations remain vulnerable to evasive tactics that render traditional endpoint security ineffective.
Attack Path Analysis
Curly COMrades initially compromised Windows hosts, likely via exploitation or credentials, and enabled Hyper-V to set up a concealed Alpine Linux virtual machine. The attacker escalated privileges by activating Hyper-V and evading typical endpoint controls. They used this hidden VM for lateral movement within internal network segments, bypassing EDR. The attackers established encrypted command and control channels from within the VM to external infrastructure, maintaining persistent access. Data could be exfiltrated covertly using outbound network channels originated from the Linux VM, evading detection. Finally, the impact could include data theft, ransomware deployment, or further malware persistence inside the victim environment.
Kill Chain Progression
Initial Compromise
Description
The attacker gained an initial foothold on a Windows system, potentially via stolen credentials or remote code execution enabling Hyper-V activation.
Related CVEs
CVE-2024-49117
CVSS 8.5A remote code execution vulnerability in Windows Hyper-V allows an authenticated attacker on a guest VM to execute arbitrary code on the Hyper-V host.
Affected Products:
Microsoft Windows Hyper-V – All versions prior to the patch released in May 2024
Exploit Status:
exploited in the wildReferences:
CVE-2024-30092
CVSS 8A remote code execution vulnerability in Windows Hyper-V due to improper handling of device emulation routines, allowing an authenticated attacker on a guest VM to execute code on the host.
Affected Products:
Microsoft Windows Hyper-V – All versions prior to the patch released in June 2024
Exploit Status:
proof of conceptReferences:
CVE-2024-29064
CVSS 6.5A denial of service vulnerability in Windows Hyper-V allows an authenticated attacker on a guest VM to cause the host operating system to become unresponsive.
Affected Products:
Microsoft Windows Hyper-V – All versions prior to the patch released in March 2024
Exploit Status:
no public exploitReferences:
MITRE ATT&CK® Techniques
Hide Artifacts: Virtualization/Sandbox Evasion
Indirect Command Execution
Native API
Virtualization/Sandbox Evasion: System Checks
Event Triggered Execution: Hypervisor
Valid Accounts
Command and Scripting Interpreter: Unix Shell
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Establish and Maintain System and Network Access Controls
Control ID: 7.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Frameworks
Control ID: Art. 9(2)
CISA ZTMM 2.0 – Visibility of All Assets
Control ID: Asset Management - 1.2
NIS2 Directive – Access Control and Asset Management
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Advanced persistent threats exploiting Hyper-V virtualization technologies directly target IT infrastructure, bypassing EDR solutions and enabling lateral movement through zero trust networks.
Financial Services
Banking systems utilizing virtualized environments face critical exposure to Curly COMrades APT group's techniques, compromising encrypted traffic and regulatory compliance frameworks.
Health Care / Life Sciences
Healthcare organizations running Hyper-V infrastructure risk HIPAA compliance violations as attackers deploy hidden Linux VMs to evade security controls and access patient data.
Government Administration
Government entities face elevated APT risks from virtualization-based attacks that circumvent traditional security measures, potentially compromising sensitive administrative systems and data.
Sources
- Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detectionhttps://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.htmlVerified
- Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machineshttps://www.bitdefender.com/en-us/blog/businessinsights/curly-comrades-evasion-persistence-hidden-hyper-v-virtual-machinesVerified
- Russian hackers hit Windows machines via Linux VMs with new custom malwarehttps://www.techradar.com/pro/security/russian-hackers-hit-windows-machines-via-linux-vms-with-new-custom-malwareVerified
- Russian spies pack custom malware into hidden VMs on Windows machineshttps://www.theregister.com/2025/11/04/russian_spies_pack_custom_malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as segmentation, internal traffic inspection, strong egress policy, and east-west visibility would have significantly limited the attack by containing VM lateral movement, detecting anomalous traffic, and preventing covert data exfiltration. Policy-based enforcement would block unauthorized workloads even when attackers attempt to evade endpoint detection.
Control: Multicloud Visibility & Control
Mitigation: Would have provided early detection and alerting of unauthorized or suspicious remote access attempts.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline policy enforcement would detect and control unauthorized workload instantiation and privilege escalation.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation prevents lateral movement between workloads, blocking access from rogue VMs.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound filtering and FQDN controls disrupt unapproved communication to C2 infrastructure.
Control: Encrypted Traffic (HPE)
Mitigation: Line rate encryption and data in transit protections prevent cleartext exfiltration and enable visibility into anomalous flows.
Behavioral baselining and alerting identify ransomware actions and unauthorized workload behavior.
Impact at a Glance
Affected Business Functions
- IT Operations
- Security Monitoring
- Network Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive government and corporate data due to unauthorized remote access and data exfiltration.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy microsegmentation and Zero Trust segmentation to contain lateral movement from rogue or hidden workloads.
- • Enforce strict egress controls, including FQDN and application-based filtering, to detect and prevent covert command and control or data exfiltration attempts.
- • Extend centralized visibility and policy management across all cloud, on-prem, and hybrid environments for unified incident detection.
- • Implement real-time traffic anomaly and behavior monitoring to quickly identify VM-level persistence and evasion tactics.
- • Automate incident response playbooks leveraging Cloud Native Security Fabric to detect, contain, and remediate hidden infrastructure attacks.
