Subj : Russian hackers hit Windo
To   : All
From : Mike Powell
Date : Wed Nov 05 2025 11:12 am

Russian hackers hit Windows machines via Linux VMs with new custom malware

Date:
Wed, 05 Nov 2025 13:22:00 +0000

Description:
Hiding malware in VMs bypasses security protections and hides traffic.

FULL STORY

Russian hackers known as Curly COMrades have been seen hiding their malware
in Linux-based virtual machines (VM) deployed on Windows devices, experts
have warned.

Security researchers from Bitdefender after analyzing the latest activities
together with the Georgian Computer Emergency Response Team (CERT), found
Curly COMrades first started targeting their victims in July 2025, when they
ran remote commands to enable the microsoft-hyper-v virtualization feature
and disable its management interface.

Then, they used the feature to download a lightweight Alpine Linux-based VM
containing multiple malware implants.

Russian attackers

The malware deployed in this campaign is called CurlyShell and CurlCat, both
of which provide a reverse shell. The hackers also deployed PowerShell
scripts which granted remote authentication and arbitrary command execution
capabilities.

To hide the activity in plain sight, they configured the VM to use the
Default Switch network adapter in Hyper-V. That way, all of the VMs traffic
went through the hosts network stack using Hyper-Vs internal network.

"In effect, all malicious outbound communication appears to originate from
the legitimate host machine's IP address," the researchers explained. "By
isolating the malware and its execution environment within a VM, the
attackers effectively bypassed many traditional host-based EDR detections."

Curly COMrades were first spotted in 2024 and while their activities align
with the interests of the Russian Federation, a direct link was not found. In
August 2025 , Bitdefender reported that their victims included government and
judicial organizations in Georgia, and energy companies in Moldova. The
victims in this incident were not named.

Bitdefender stressed that there are no strong overlaps with known Russian APT
groups, but Curly COMrades operations align with the geopolitical goals of
the Russian Federation."

Ever since Russias attention turned towards Ukraine in 2014 with the
annexation of Crimea, countries on its eastern border have lost the
spotlight. Georgia, however, is in a similar position to Ukraine, with two
regions declaring independence with the help of the Russian military - South
Ossetia, and Abkhazia. Therefore, it would make sense that Russias cyberspies
would like to keep tabs on neighboring countries and their diplomatic
efforts.

Via The Register
======================================================================
Link to news story:
https://www.techradar.com/pro/security/russian-hackers-hit-windows-machines-vi
a-linux-vms-with-new-custom-malware

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.