This threat involves the Curly COMrades advanced persistent threat (APT) group exploiting Hyper-V virtualization technology on compromised Windows 10 machines to create hidden virtual machines (VMs) running a minimal Alpine Linux environment. Within these concealed VMs, the attackers deploy custom malware that provides reverse shell and proxy capabilities, enabling covert command and control communication while bypassing host-based endpoint detection and response (EDR) systems. The use of Hyper-V virtualization as an evasion technique is notable because it leverages legitimate system features to hide malicious activity from traditional security tools that monitor the host OS. Persistence mechanisms include PowerShell scripts that automate VM creation and management, manipulation of Kerberos tickets to maintain authenticated access, and creation of local user accounts to ensure continued foothold. The investigation was supported by international cooperation with the Georgian CERT, which helped analyze the attackers’ command and control infrastructure, including associated IP addresses and domains. Indicators of compromise (IOCs) such as malware hashes and network artifacts have been identified but no public exploits are currently known. The threat actor’s use of virtualization for lateral movement and proxying traffic complicates detection and response efforts. The attack chain demonstrates a sophisticated blend of virtualization abuse, credential manipulation, and script-based persistence, highlighting the need for advanced monitoring and threat hunting capabilities focused on virtualization layers and authentication services.

For European organizations, this threat poses significant risks to confidentiality, integrity, and availability. The hidden Hyper-V VMs enable attackers to maintain stealthy, persistent access to sensitive networks, potentially leading to prolonged data exfiltration, espionage, or disruption. The evasion of traditional EDR tools means that many organizations may be unaware of the compromise until significant damage occurs. Critical infrastructure sectors, government agencies, and enterprises with Windows 10 systems running Hyper-V are particularly vulnerable. The manipulation of Kerberos tickets can facilitate lateral movement across enterprise networks, increasing the scope of compromise. Additionally, the creation of local accounts and use of PowerShell scripts complicate incident response and remediation. The covert proxying capabilities may also enable attackers to pivot and mask their command and control traffic, further hindering detection. Overall, the threat could lead to severe operational disruptions, loss of sensitive data, and reputational damage if not promptly identified and mitigated.

1. Implement advanced monitoring of Hyper-V environments, including logging and alerting on VM creation, modification, and unusual VM activity. 2. Monitor PowerShell usage closely, employing script block logging and constrained language mode to detect suspicious automation related to VM management. 3. Audit Kerberos ticket usage and implement anomaly detection to identify unusual ticket requests or manipulations indicative of persistence or lateral movement. 4. Enforce strict local account management policies, including regular audits and removal of unauthorized accounts. 5. Deploy network monitoring to detect proxy and reverse shell traffic patterns, especially those communicating with known malicious IPs and domains identified in the indicators. 6. Utilize endpoint detection tools capable of monitoring virtualization layers and cross-VM activities. 7. Conduct threat hunting exercises focusing on virtualization abuse and credential manipulation techniques. 8. Maintain up-to-date threat intelligence feeds and collaborate with national and international CERTs for timely information sharing. 9. Harden Windows 10 hosts by disabling Hyper-V if not required or restricting its use to trusted administrators. 10. Apply the principle of least privilege to limit the ability of attackers to create or manage virtual machines and local accounts.