Hidden VM Threat: Attackers Leveraging Windows Hyper-V to Evade EDR

What happened

A cyber-espionage group known as Curly COMrades has been observed enabling the Microsoft Hyper-V role on compromised Windows 10 systems and deploying a lightweight Alpine Linux VM (≈approximately 120 MB disk, 256 MB memory) to host custom malware. Within this hidden VM, they run two bespoke tools:  “CurlyShell” (a reverse shell) and “CurlCat” (a reverse proxy). They are used to maintain persistence and evade traditional host-based EDR (Endpoint Detection and Response) solutions. The technique effectively isolates malicious activity in a virtual environment, making detection by standard agent-based monitoring far more challenging.

Who is affected

Organizations running Windows 10 with the Hyper-V role enabled (whether intentionally or due to a compromise) are at risk. The threat actor is assessed to be aligned with Russian intelligence interests and has been active at least since late 2023, with documented attacks in Georgia and Moldova. Any enterprise with Windows hosts, virtualization capabilities enabled, and insufficient visibility into nested VM execution or unexpected Hyper-V roles should consider themselves in scope.

Why CISOs should care

• The attack vector bypasses traditional EDR by relocating malicious work into a hidden VM, reducing visibility and control.
• Enabling Hyper-V (intentionally or accidentally) expands the attacker’s capability surface; what was once a benign virtualization role becomes a launchpad.
• Monitoring and detection strategies that focus solely on the host OS may miss nested VM activity. This means the adversary can maintain long-term access, exfiltrate data, or establish proxies without triggering alerts.
• Given the stealth and persistence of this approach, remediation and incident response will be more complex and time-consuming. As a CISO, the operational burden and risk exposure of undetected agents inside VMs is significantly higher.

3 practical actions

1. Audit and restrict Hyper-V usage: Identify all systems with Hyper-V enabled. Evaluate whether virtualization is required. If not, disable the role or restrict its use to controlled hosts only.
2. Extend detection to VM layers: Update your security monitoring to include hypervisor-level events, VM creation/enabling, and nested virtualization configurations. Ensure logs from Hyper-V hosts are ingested and analysed for anomalous VM launches.
3. Harden host configurations & enforce principle of least privilege: Ensure Windows hosts are patched, role-based access controls are enforced, and that only approved administrators can enable roles like Hyper-V. Additionally, apply network segmentation so that if a VM is compromised, it cannot freely pivot across critical infrastructure.