Cyber-Espionage Group Uses Hyper-V for Stealthy Attacks

A cyber-espionage group known as Curly COMrades has been leveraging Microsoft Hyper-V virtualization to establish stealthy, persistent access within compromised networks. The group uses a lightweight Alpine Linux virtual machine to host custom malware, CurlyShell and CurlCat, which operate within a virtualized enclave invisible to host-based endpoint detection and response (EDR) tools. The attackers also rely on PowerShell scripts for persistence and lateral movement, including a custom Kerberos Ticket Injector script. The investigation was conducted in collaboration with a national CERT, which provided critical evidence from a compromised web server used as a proxy for the attacker's C2 infrastructure.

Latest mentioned: 11-06

Earliest mentioned: 11-04

Sources

securityonline.info gbhackers.com bitdefender.com bleepingcomputer.com theregister.com

Also Read

Kimsuky and Lazarus Deploy New Malware in Cyber Espionage

The Kimsuky group has been found using a new backdoor called HttpTroy, while the Lazarus Group has deployed an upgraded BLINDINGCAN RAT. Both campaigns show advanced obfuscation and persistence techniques, targeting victims in multiple regions. The Kimsuky attack used a phishing email with a VPN invoice lure, leading to a multi-stage infection. The Lazarus Group's attack, detected mid-chain, involved a new Comebacker variant and targeted two victims in a country.

11-04Read more →