Full Report
Cyber threats didn’t slow down last week—and attackers are getting smarter. We’re seeing malware hidden in virtual machines, side-channel leaks exposing AI chats, and spyware quietly targeting Android devices in the wild. But that’s just the surface. From sleeper logic bombs to a fresh alliance between major threat groups, this week’s roundup highlights a clear shift: cybercrime is evolving fast
Analysis Summary
# Incident Report: Hyper-V VM Evasion by State-Sponsored Actor
## Executive Summary
The threat actor Curly COMrades, linked to Russian geopolitical interests, utilized advanced evasion techniques by hiding malware within pre-configured virtual machines managed via Microsoft Hyper-V on compromised Windows hosts. This allowed malicious activity, including command-and-control communication, to effectively appear as legitimate host traffic, bypassing existing endpoint detection controls. The campaign, observed in July 2025, focused on maintaining stealthy, long-term access within victim environments, though specific impacts remain undisclosed.
## Incident Details
- Discovery Date: Not explicitly stated, but context suggests observation findings reported around November 2025 (based on article publication date).
- Incident Date: Observed in July 2025.
- Affected Organization: Victims not publicly identified.
- Sector: Not specified, assumed to be general enterprise/critical infrastructure given geopolitical alignment.
- Geography: Not specified.
## Timeline of Events
### Initial Access
- Date/Time: Pre-July 2025 leading up to July 2025 deployment (implied).
- Vector: Initial compromise of Windows machines necessary to execute Hyper-V configuration commands (Infection vector leading to initial access is not detailed).
- Details: Attackers gained control of Windows host systems.
### Lateral Movement
- Date/Time: Following initial access and VM setup.
- Vector: Not explicitly detailed, but the goal was maintained access within the established VM structure.
- Details: The use of an Alpine Linux VM running via Hyper-V isolates the malware from the host OS security layers.
### Data Exfiltration/Impact
- Date/Time: During the operational phase of the established VM (Post-July 2025).
- Vector: Malicious outbound communication routed through the host machine's network stack via Hyper-V's internal NAT service.
- Details: Deployment of custom backdoors/malware named CurlyShell and CurlyCat.
### Detection & Response
- Date/Time: Findings analyzed and reported by Bitdefender (Implied detection by security researchers).
- Vector: Deep analysis of host configurations and network traffic anomalies associated with Hyper-V usage.
- Details: Response actions for victims are not detailed, but the analysis highlights the need to monitor Hyper-V configuration changes.
## Attack Methodology
- Initial Access: Not specified (Requires RDP exploitation, phishing, or another zero-day/vulnerability to gain initial Windows host access).
- Persistence: Establishing a persistent, hidden Alpine Linux virtual machine inside the Hyper-V hypervisor that runs independently of standard host monitoring.
- Privilege Escalation: Implied elevated privileges needed to execute DISM (Windows Deployment Image Servicing and Management) and PowerShell cmdlets (`Import-VM`, `Start-VM`) to configure and launch Hyper-V.
- Defense Evasion: **Primary technique:** Isolating malware execution within a guest VM to bypass Endpoint Detection and Response (EDR)/Extended Detection and Response (XDR) solutions running on the host OS.
- Credential Access: Not mentioned.
- Discovery: Not mentioned regarding internal host discovery by the malware payload *within* the VM.
- Lateral Movement: Not explicitly detailed beyond maintenance of the persistent VM environment.
- Collection: Malware payloads (CurlyShell, CurlyCat) were deployed; collection methods are not specified.
- Exfiltration: Outbound traffic routed via Hyper-V NAT, masking the origin as the legitimate host machine's IP address.
- Impact: Maintaining long-term access with minimal forensic footprint.
## Impact Assessment
- Financial: Not available.
- Data Breach: Type of data targeted is not specified, focus was on operational persistence.
- Operational: Risk of significant, undetected long-term compromise and command execution.
- Reputational: N/A (Victims not named).
## Indicators of Compromise
- Network Indicators (Defanged): Malicious C2 traffic originating from the host machine's legitimate IP address due to Hyper-V NAT configuration.
- File Indicators: VHDX and VMCX files containing the infected Alpine Linux VM. RAR archive masquerading as MP4.
- Behavioral Indicators: Use of `DISM` to enable Hyper-V and disable Hyper-V Manager. Execution of `Import-VM` and `Start-VM` PowerShell cmdlets to initialize a VM named "WSL" (deception tactic).
## Response Actions
- Containment: Not specified for victims.
- Eradication: Not specified for victims. Based on findings, required eradication would involve identifying and removing the imported VM configuration, source VHDX/VMCX files, and securing the host to prevent privilege abuse.
- Recovery: Not specified.
## Lessons Learned
- EDR/XDR solutions are becoming insufficient against hypervisor-level evasion techniques.
- Threat actors are adopting complex cloud/virtualization tooling (Hyper-V) to achieve stealth.
- Deception tactics (naming the VM "WSL") are being used to blend into standard system operations.
- Attackers prioritize maintaining long-term access with minimal forensic footprint.
## Recommendations
- Implement security monitoring specifically targeting administrative tool usage (DISM, PowerShell cmdlets) related to hypervisor configuration changes on endpoints.
- Review network egress points to identify traffic patterns that might originate from virtualized environments not explicitly sanctioned for C2.
- Harden endpoints against privilege escalation pathways that allow configuration of virtualization software.
- Mandate strict inventory and control over pre-built virtual disk files (VHDX, VMCX) that are imported onto production or privileged machines.