Hackers Exploit Windows Hyper-V to Evade Detection | Cybersecurity News

What youll learn: In this video, we explore a new cybersecurity threat involving the exploitation of Windows Hyper-V by a group known as Curly COMrades. We will discuss the technical aspects of their attacks, the implications for organizations, and what steps can be taken to enhance security against such threats.

On November 6, 2025, a report from Bitdefender highlighted a significant cybersecurity threat posed by the hacking group Curly COMrades. This group has been observed using virtualization technologies to bypass traditional security measures and deploy custom malware. By enabling the Hyper-V role on compromised Windows systems, they create a hidden environment hosting a minimalistic, Alpine Linux-based virtual machine. This virtual machine, which occupies only 120MB of disk space and utilizes 256MB of memory, is used to run their custom reverse shell, CurlyShell, and a reverse proxy known as CurlCat.

Curly COMrades first came to attention in August 2025, linked to a series of cyberattacks targeting Georgia and Moldova. Their activities are believed to have been ongoing since late 2023, with motivations that align with Russian interests. The group has employed various tools for their operations, including CurlCat for data transfer, RuRat for remote access, and Mimikatz for credential harvesting. Notably, their modular .NET implant, MucorAgent, has roots tracing back to November 2023.

In collaboration with Georgia CERT, further analysis revealed that Curly COMrades is focused on establishing long-term access to compromised systems by utilizing Hyper-V to create a hidden remote operating environment. This tactic allows them to evade many traditional endpoint detection and response (EDR) solutions, demonstrating their sophisticated approach to maintaining control over compromised systems.

The malware deployed by Curly COMrades includes CurlyShell and CurlCat, which share a similar code base but differ in their functionality. CurlyShell executes commands directly, while CurlCat channels traffic through SSH, providing flexible control for the attackers. This adaptability is crucial for their operations, as they continuously introduce new tools to their environment to maintain their foothold.

As organizations become aware of these tactics, it is essential to implement robust security measures. Regularly updating security protocols and ensuring that EDR solutions are equipped to detect virtualization-based threats are critical steps. Additionally, organizations should monitor for unusual network activity and employ comprehensive training for employees to recognize potential phishing attempts that could lead to such compromises.

In conclusion, the emergence of threats like Curly COMrades underscores the evolving landscape of cybersecurity. As attackers continue to refine their methods, both individuals and organizations must remain vigilant and proactive in their security strategies to mitigate risks associated with advanced persistent threats.