Russian hackers sneak a full Linux virtual machine inside Windows to run undetected

Published: 5 November 2025
Last updated: 5 November 2025
Microsoft Hyper-V virtualization, virtual machines
Image by Cybernews.

You can’t detect malware on Windows if it’s not running on Windows. Russian hackers are exploiting Microsoft’s Hyper-V virtualization feature to create a hidden Linux virtual machine within a target’s host, allowing them to covertly install secret implants on the victim's computer.

Bitdefender researchers have discovered a covert operation that established long-term persistence in victim networks by abusing Hyper-V virtualization features on Windows 10 computers.

Hyper-V runs directly on the computer’s hardware as a type-1 hypervisor – software that enables a computer to run isolated virtual machines. Developers use this legitimate software to run operating systems or services alongside Windows. However, attackers are now abusing this same feature to hide malicious tools from Windows security defences.

ADVERTISEMENT

A Russia-linked threat actor, dubbed Curly COMrades, was caught enabling Hyper-V on victim systems, spinning a minimalistic Alpine Linux-based virtual machine (VM) that consumes only 120MB of disk space and 256MB of RAM, running in parallel with Windows. The hackers then use this VM to host a suite of malicious tools that remain undetected by Windows defenses.

“By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR (Endpoint Detection and Response) detections,” Victor Vrabie, security researcher at Bitdefender, warns in a report on Curly COMrades.

malicious-vms
Image by Bitdefender.

The abuse of native Windows virtualization features is one of the most interesting innovations. It establishes a covert, isolated operational base inside the network on the victim host.

To detect this type of intrusion, host-based network inspection is required to analyze command-and-control (C2) traffic escaping the VM.

A box for cyberweapons

VMs give attackers complete freedom to run any malicious packages. However, the attackers did not extensively pack their VMs to keep them lightweight.

Researchers have discovered a wide array of proxy and tunneling samples, such as Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel, and SSH-based methods.

ADVERTISEMENT

“The threat actor demonstrated a clear determination to maintain a reverse proxy capability, repeatedly introducing new tooling into the environment,” the report reads.

The analyzed operation began in early July, 2025. The hackers enabled Hyper-V on two computers and disabled the feature’s management interface.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Later, they deployed the VM and configured it to run custom malicious implants, CurlyShell and CurlCat, for reverse shell and reverse proxy operations. The hackers configured the VM to use the host’s IP address (Default Switch network adaptor).

“In effect, all malicious outbound communication appears to originate from the legitimate host machine's IP address. Some of the included files also demonstrate a high degree of tailoring for the compromised domain,” the Bitdefender researcher said.

The VM was customized to communicate with the C2 infrastructure. CurlyShell provided a persistent reverse shell, while CurlCat managed traffic tunneling, giving the threat actor robust network access and the ability to execute commands remotely.

The COMrades also used two distinct types of PowerShell scripts to inject login (Kerberos) tickets and execute commands remotely, as well as to create or reset local accounts.

Has my data been leaked?
Check Now

The Georgian national CERT aided the investigation by analyzing a compromised site used by the attackers and sharing key data. The country’s team contacted Bitdefender when they detected CurlCat sample on one of monitored systems.

Bitdefender’s investigation underscores the importance of employing multiple layers of defense, integrating host-based defenses with network-based defenses.

ADVERTISEMENT

“The attackers created isolated environments from which reverse shells, proxies, and custom malware could operate. This isolation protected the custom malware from behavioral analysis, EDR, and static signature scanning that would normally run on the host operating system,” the report concludes.

“However, the resulting reverse shells and C2 traffic still had to exit the host machine via the network stack.“

The researchers warn that attackers are becoming increasingly adept at bypassing EDR/HDR solutions, which are becoming commodity tools.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT