Russia's Curly COMrades is abusing Microsoft's Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine that bypasses endpoint security tools, giving the spies long-term network access to snoop and deploy malware.

"This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," Bitdefender senior security researcher Victor Vrabie said in a Tuesday report.

The Romanian security shop, working with the Georgian Computer Emergency Response Team (CERT), uncovered this latest malware-delivery campaign. It reveals how the crew exploits legitimate virtualization technologies – in this case, Hyper-V – to bypass endpoint detection and respo

See Full Page