Curly COMrades (Hyper-V Abuse for EDR Bypass)

ICS Labs’ CTI has identified an advanced EDR evasion technique actively exploited by the group Curly COMrades, a threat actor associated with Russian interests. This technique involves creating a virtual machine where malicious actions are executed, in order to establish an administrative interface within this hidden environment.

Threat Overview:

The key differentiator of this campaign is the use of legitimate virtualization (Hyper-V) as an evasion mechanism. Instead of installing malicious tools directly on Windows, attackers enable Hyper-V on the compromised system and deploy a minimalist virtual machine based on Alpine Linux.

Inside this hidden VM, they run two main components:

• CurlyShell, a persistent reverse shell over HTTPS

• CurlCat, a reverse proxy that encapsulates SSH within HTTP, bypassing network defenses.

Since the VM operates outside the direct reach of EDR, malicious activity remains isolated from traditional behavioral analysis, although traffic still exits through the host’s network stack.

Identified Points of Concern:

On the Windows host:

• Unexpected activation of Hyper-V features via DISM:

• Suspicious Commands: dism /online /enable-feature, powershell.exe -c Import-VM, powershell.exe -c Start-VM

• Unusual folders associated with VMs: C:\ProgramData\microsoft\AppV\app\Virtual Machines\

• Persistent PowerShell scripts: c:\programdata\kb_upd.ps1, c:\Windows\ps1\screensaver.ps1, c:\Windows\ps1\locals.ps1

• Creation or automatic recreation of local accounts.

Inside the VM (when detectable):

• Fake VMs named “WSL,” unrelated to Windows Subsystem for Linux.

• Periodic HTTPS traffic to suspicious infrastructure.

• SSH encapsulated in HTTP (anomalous size and timing patterns).

Recommended Actions:

• Immediately isolate the compromised host from the network.

• Collect RAM before rebooting, due to tools running inside the VM.

• Check for unauthorized VMs.

• Disable Hyper-V if not required.

• Remove VMs, virtual disks, and associated folders.

• Delete persistent scripts and artifacts in mapped directories.

• Revoke credentials used on the host.

• Monitor lateral movement, including SMB access and remote executions.

• Notify the Incident Response team for deeper analysis.

Hardening and Prevention Measures:

• Block Hyper-V via GPO/AppLocker/WDAC in environments where it’s not used.

• Monitor DISM commands related to virtualization enablement.

• Enable Script Block Logging and Module Logging in PowerShell.

• Minimize exposure of administrative accounts.

• Block communication with newly created domains via DNS filtering or firewall.

• Inspect anomalous HTTPS traffic, especially long-lived and patterned sessions.

IOCs:

Latest Updates:

• August 12, 2025: The Hacker News reported discovering a new APT group called Curly COMrades, conducting attacks in Moldova.

• November 4, 2025: Bitdefender released an investigation documenting new techniques and tools used by the threat actor, including the use of Hyper-V for command-and-control purposes.