Executive Summary
In early 2024, threat intelligence analysts uncovered a sophisticated campaign by the Russian-backed group Curly COMrades, wherein attackers abused Microsoft's Hyper-V virtualization feature to bypass endpoint detection on target Windows systems. The attackers covertly deployed an Alpine Linux virtual machine, invisible to conventional security tools, and used it as a persistent foothold to run malware, facilitate lateral movement, and exfiltrate sensitive data. This technique allowed them to mask malicious processes and evade established EDR and antivirus solutions, posing serious risks to affected organizations.
This incident highlights an alarming evolution in advanced persistent threat tactics, with adversaries exploiting virtualization infrastructure to evade modern security controls. As virtualized environments and cloud workloads proliferate, organizations must harden hypervisors, enhance east-west security, and advance detection capabilities to fend off similar stealthy threats.
Why This Matters Now
Attackers are increasingly leveraging virtualization technologies to hide their activities inside enterprise environments, bypassing traditional endpoint defenses. With the proliferation of Hyper-V and other hypervisors across businesses, immediate action is essential to ensure proper segmentation, monitoring, and policy enforcement on virtual infrastructure to prevent unseen lateral movement and persistent intrusions.
Attack Path Analysis
The attackers initially compromised a Windows host, likely via phishing or exploit, before deploying and managing a covert Alpine Linux VM under Hyper-V to bypass traditional endpoint detection. Privileged access on the host enabled them to establish, configure, and conceal the malicious VM. Through east-west lateral movement within the cloud or virtual infrastructure, they maintained communication and control. The Linux VM communicated with remote C2 infrastructure, enabling persistent attacker access. Sensitive data was likely exfiltrated through the VM's egress channels, leveraging encrypted or covert channels. The campaign had the potential to inflict operational impact, including data theft, ransomware deployment, or business disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers gained initial access to a Windows host by exploiting a vulnerability, phishing, or misconfiguration, deploying Hyper-V to create a covert VM.
Related CVEs
CVE-2025-21333
CVSS 7.8An elevation of privilege vulnerability in Windows Hyper-V's NT Kernel Integration VSP component allows attackers to gain SYSTEM privileges.
Affected Products:
Microsoft Windows Hyper-V – Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Exploit Status:
exploited in the wildCVE-2025-21334
CVSS 7.8An elevation of privilege vulnerability in Windows Hyper-V's NT Kernel Integration VSP component allows attackers to gain SYSTEM privileges.
Affected Products:
Microsoft Windows Hyper-V – Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Exploit Status:
exploited in the wildCVE-2025-21335
CVSS 7.8An elevation of privilege vulnerability in Windows Hyper-V's NT Kernel Integration VSP component allows attackers to gain SYSTEM privileges.
Affected Products:
Microsoft Windows Hyper-V – Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Hide Artifacts: Virtualization/Sandbox Evasion
Indirect Command Execution
System Services: Service Execution
Indicator Removal on Host: File Deletion
Valid Accounts
Process Discovery
Application Layer Protocol: Web Protocols
Impair Defenses: Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Analyze Security Events
Control ID: 10.1.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 10
NIS2 Directive – Incident Detection and Handling
Control ID: Art. 21(2)(d)
CISA ZTMM 2.0 – Continuous Monitoring of Assets and Activities
Control ID: Visibility and Analytics
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Russian APT group exploiting Hyper-V virtualization creates critical risks for financial institutions using Windows infrastructure, bypassing endpoint detection systems.
Health Care / Life Sciences
Healthcare organizations face severe HIPAA compliance violations as Russian hackers hide malware in Linux VMs, compromising patient data protection.
Government Administration
Government agencies targeted by sophisticated Russian APT using virtualization evasion techniques, threatening national security and critical infrastructure operations.
Information Technology/IT
IT sector heavily impacted as Curly COMrades exploits fundamental virtualization technologies, compromising cloud security and managed service provider environments.
Sources
- Russian hackers abuse Hyper-V to hide malware in Linux VMshttps://www.bleepingcomputer.com/news/security/russian-hackers-abuse-hyper-v-to-hide-malware-in-linux-vms/Verified
- Russian hackers hit Windows machines via Linux VMs with new custom malwarehttps://www.techradar.com/pro/security/russian-hackers-hit-windows-machines-via-linux-vms-with-new-custom-malwareVerified
- Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detectionhttps://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.htmlVerified
- Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machineshttps://itwire.com/business-it-news/security/curly-comrades-evasion-and-persistence-via-hidden-hyper-v-virtual-machines.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, meticulous east-west traffic controls, and robust egress enforcement would have sharply limited the attackers’ ability to pivot, maintain C2, or exfiltrate data—even with a covert VM. CNSF’s distributed policy, real-time threat detection, and identity- and service-based segmentation strip adversaries of stealth and maneuverability within hybrid and multicloud landscapes.
Control: Threat Detection & Anomaly Response
Mitigation: Fast identification and alerting on anomalous VM creation activity.
Control: Zero Trust Segmentation
Mitigation: Blocked unauthorized admin actions and lateral privilege escalation.
Control: East-West Traffic Security
Mitigation: Detected and contained lateral movement attempts between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented or flagged unauthorized external communications.
Control: Encrypted Traffic (HPE)
Mitigation: Detected abnormal encrypted transfer volumes or unauthorized traffic flows.
Rapid cross-cloud visibility enabled incident containment and response.
Impact at a Glance
Affected Business Functions
- IT Operations
- Network Security
- Data Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive government and energy sector data due to unauthorized access facilitated by the malware.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and microsegmentation to ensure unauthorized VMs or lateral movement are immediately constrained.
- • Deploy continuous threat detection and anomaly response to rapidly alert on abnormal virtualization or network behaviors.
- • Apply rigorous east-west and egress traffic controls, including identity-based and application-aware filtering, to halt covert C2 and data exfiltration paths.
- • Centralize multicloud visibility and policy enforcement to close observability gaps across hybrid assets and virtual infrastructure.
- • Regularly audit virtualization management plane and privilege assignments to ensure unused administrative permissions and dormant attack surfaces are minimized.
