Evasion and Persistence via Hidden Hyper-V Virtual Machines

SUMMARY :

This investigation uncovered new tools and techniques used by the Curly COMrades threat actor to establish covert, long-term access to victim networks. The attackers exploited Hyper-V virtualization on compromised Windows 10 machines to create hidden remote operating environments. They deployed a minimalistic Alpine Linux-based virtual machine hosting custom malware for reverse shell and proxy operations. This approach effectively bypassed traditional host-based EDR detections. The threat actor also demonstrated persistence through PowerShell scripts, Kerberos ticket manipulation, and local account creation. International collaboration with the Georgian CERT aided in analyzing the command and control infrastructure.

OPENCTI LABELS :

virtualization,proxy,persistence,reverse shell,powershell,lateral movement,evasion,kerberos,hyper-v,curlyshell,alpine linux,curlcat


AI COMMENTARY :

1. Introduction to the Curly COMrades’ Latest Tactics The recent investigation titled “Evasion and Persistence via Hidden Hyper-V Virtual Machines” shines a spotlight on an emerging threat group known as Curly COMrades. By exploiting virtualization capabilities on compromised Windows 10 hosts, this actor has developed an innovative approach to maintain a covert presence. Their strategy centers around the use of Hyper-V technology to spin up concealed virtual environments that operate below the radar of conventional security tools.

2. Subverting Traditional Defenses with Hidden Hyper-V Instances Curly COMrades leveraged Hyper-V to deploy a slim Alpine Linux virtual machine that remains invisible to host-based EDR solutions. This hidden instance functions as both a reverse shell and proxy server, facilitating inbound and outbound command and control traffic. By isolating their custom malware—referred to internally as CurlyShell—within the lightweight Alpine Linux guest, the attackers achieved seamless evasion and maintained persistent access without triggering alerts on the host operating system.

3. Reverse Shells, Proxies, and the CurlCat Toolset Inside the Alpine Linux virtual machine, the threat actor utilized a custom reverse shell framework dubbed curlcat. This tool establishes encrypted tunnels back to the attacker’s infrastructure, giving operators full interactive access. In tandem with proxying capabilities, curlcat enabled lateral movement across victim networks, routing commands through the hidden VM in order to obscure the originating source and evade network-level monitoring systems.

4. Persistence Mechanisms: PowerShell, Kerberos, and Local Accounts Beyond virtualization, Curly COMrades embedded additional persistence layers using native Windows features. They deployed PowerShell scripts that auto-launch on system startup, manipulated Kerberos ticketing to grant ongoing access to domain resources, and furtively created local user accounts. This multi-pronged persistence strategy ensured that even if one mechanism were detected, alternative footholds remained active.

5. Evasion and Lateral Movement Strategies The combination of Hyper-V virtualization and specialized scripting delivered robust evasion. Traditional EDR solutions often lack visibility into nested virtual environments, allowing reverse shell sessions and proxy pipelines to operate unchallenged. From within the hidden VM, the actor launched lateral movement operations, harvesting credentials and pivoting to high-value assets across the network.

6. Collaborative Analysis and Defensive Recommendations International cooperation, notably with the Georgian CERT, was pivotal in dissecting Curly COMrades’ command and control infrastructure. Incident responders identified key indicators of compromise related to Hyper-V guest creation, rare Alpine Linux processes on Windows hosts, and anomalous Kerberos ticket usage. Organizations should monitor for unexpected virtualization activity, enforce strict Hyper-V host configurations, and deploy network traffic analysis capable of detecting hidden reverse shells.

7. Conclusion: Fortifying Against Virtualization-Driven Threats The Curly COMrades’ deployment of hidden Hyper-V virtual machines marks a significant evolution in adversary tradecraft, blending virtualization, proxy operations, and native Windows tooling for deep evasion and persistence. By adopting rigorous monitoring of Hyper-V environments, strengthening PowerShell logging, and scrutinizing Kerberos anomalies, defenders can disrupt this sophisticated threat and safeguard their networks against the next generation of virtualization-based attacks.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Evasion and Persistence via Hidden Hyper-V Virtual Machines