Pro-Russian Hackers Use Linux VMs to Hide in Windows

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.A threat actor known as "Curly COMrades" is using Linux VMs to remain undetected in Windows environments while conducting Russia-aligned activities.November 4, 2025Threat actors supporting Russia's geopolitical interests are using Linux-based virtual machines (VMs) to obfuscate their activities from Windows endpoint security tools. The group is tracked as "Curly COMrades," and security vendor Bitdefender today published research describing how the actors establish hidden, long-term persistence in victim networks. Although some elements of Curly COMrades' activities are reminiscent of those seen in other groups, other tactics are fairly novel. Bitdefender first reported on the group, which operates "to support Russian interests in geopolitical hotbeds," in August. This latest research uncovers additional techniques, such as the use of lightweight Linux VMs as a post-exploitation persistence tactic within Windows devices.  Bitdefender conducted its research in collaboration with Georgian CERT under the Operative-Technical Agency of Georgia.Martin Zugec, technical solutions director at Bitdefender, tells Dark Reading that the threat actor's primary goal "aligns strongly" with espionage and long-term covert access rather than something disruptive or financially motivated. Though many details remain uncertain, the research paints a picture of a threat group that uses sophisticated methods to maintain long term access in target networks. Related:RondoDox Botnet: an 'Exploit Shotgun' for Edge VulnsFor the activity analyzed as part of this campaign, research author and Bitdefender senior security researcher Victor Vrabie said Curly COMrades compromised targeted Windows devices before exploiting legitimate virtualization technologies to gain persistence. Attackers enabled the Hyper-V role on victim systems to download and import "a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat." Both acting as proprietary malware, CurlyShell is a persistent reverse shell while CurlCat manages traffic tunneling.The key benefit to using a lightweight Linux VM to conduct operations is that it bypasses many traditional endpoint detection and response (EDR) products and better obfuscates activity than persistence mechanisms placed directly on the host device. All malicious outbound traffic then appears to originate from the otherwise legitimate host IP address."EDR needs to be complemented by host-based network inspection to detect C2 traffic escaping the VM, and proactive hardening tools to restrict the initial abuse of native system binaries," Vrabie wrote. Related:Undead Operating Systems Haunt Enterprise Security NetworksMoreover, utilizing CurlyShell for command-and-control (C2) communication and CurlCat for traffic obfuscation keeps things simple and quiet compared to the heavyweight penetration tools that other threat actors often use. Beyond the fancy use of lightweight VMs and custom malware, the investigation found two PowerShell scripts: one to inject a Kerberos ticket into the Local Security Authority Subsystem Service (LSASS) for remote authentication and command execution, and one which creates "a local account across domain-joined machines likely to achieve persistence," Vrabie said.Bitdefender's Zugec tells Dark Reading that the core components of the attack are not entirely new, though the specific combination of said techniques "represents a significant and concerning evolution in attacker tactics.""Attackers have previously used virtualization to run ransomware encryptors," he explains. "However, deploying a dedicated, minimal Alpine Linux VM directly onto a victim's endpoint specifically for long-term command and control isolation is an advanced evasion technique. This method allows the malware to run completely outside the host operating system's visibility, bypassing the behavioral, static signature, and memory scanning components of many traditional EDR solutions."Related:Zero Trust: Strengths and Limitations in the AI Attack EraBitdefender's research concludes by saying that Curly COMrades' recent activities confirms that as endpoint and extended detection and response tools become commodities, threat actors in turn get better at avoiding them. Bitdefender says organizations can counter the threat posed by Curly COMrades by moving beyond single security layers and implementing defense-in-depth, multilayered security. For larger organizations, this could mean using a network security layer capable of detecting and intercepting malicious traffic patterns. Additionally, organizations also need to be able to detect abnormal LSASS process access or Kerberos ticket creation, "which occur outside the VM and are highly detectable." Leaner organizations, Bitdefender said, may want to consider utilizing managed detection and response (MDR) services. Ultimately, Vrabie wrote, "It is critical to start designing the entire environment to be hostile to attackers."Alexander CulafiSenior News Writer, Dark ReadingAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.