EXECUTIVE SUMMARY:
The Curly COMrades threat actor is abusing native Windows virtualization to establish a covert, host-isolated operational base on compromised Windows hosts. By enabling Hyper-V and deploying a tiny Alpine Linux virtual machine on the victim, it creates a stealthy execution environment that blends malicious activity into the hosts normal network footprint and evades many conventional EDR detections.
The intrusion chain leverages built-in Windows capabilities to enable Hyper-V, extract VHDX and VMCX files into a system path, import the VM using Import-VM, and start it with Start-VM. The deployed VM is minimal and runs a compact Linux distribution that hosts two small implants: a persistent reverse shell that communicates over HTTPS and a tunneling and proxy component that encapsulates SSH traffic in HTTP payloads. Persistence is maintained inside the VM while network egress is NATed through the host so C2 appears to originate from the legitimate host IP. The actors also employed layered proxy and tunneling tools and host-side scripts to expand access and maintain covert control. Useful forensic indicators include the DISM and PowerShell commands used to enable Hyper-V, imported VM files under ProgramData or similar system folders, lightweight Linux VM images and ELF binaries, unusual cron entries inside the VM, SSH configurations using ProxyCommand, and anomalous HTTPS and SSH traffic patterns originating from otherwise normal host processes.
It represents a shift toward using virtualization as a compartmentalized, hard-to-detect staging area, complicating traditional EDR approaches that focus on processes running directly on the host. Defenders should treat unexpected virtualization changes or VM imports as high-risk, monitor for the specific command and file artifacts described above, correlate network flows to identify VM-originating C2, enforce strict change control for feature installation, and be prepared to isolate affected hosts and capture both host and VM disks for full forensic recovery.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Execution | T1053.003 | Scheduled Task/Job | Cron |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Defense Evasion | T1564.006 | Hide Artifacts | Run Virtual Instance |
| T1497.001 | Virtualization / Sandbox Evasion | System Checks | |
| Discovery | T1673 | Virtual Machine Discovery | — |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| T1090.001 | Proxy | Internal Proxy | |
| T1572 | Protocol Tunneling | — |
REFERENCES:
The following reports contain further technical details: