Russian hackers hit Windows machines via Linux VMs with new custom malware

Hiding malware in VMs bypasses security protections

News By Sead Fadilpašić published 5 November 2025

Image credit: Shutterstock (Image credit: Shutterstock)

• Curly COMrades deployed Alpine Linux VMs on Windows hosts to hide reverse-shell malware activity
• VM traffic tunneled via host IP, bypassing traditional EDR and masking outbound communications
• Targets included Georgian and Moldovan institutions; operations align with Russian geopolitical interests

Russian hackers known as Curly COMrades have been seen hiding their malware in Linux-based virtual machines (VM) deployed on Windows devices, experts have warned.

Security researchers from Bitdefender after analyzing the latest activities together with the Georgian Computer Emergency Response Team (CERT), found Curly COMrades first started targeting their victims in July 2025, when they ran remote commands to enable the microsoft-hyper-v virtualization feature and disable its management interface.

Then, they used the feature to download a lightweight Alpine Linux-based VM containing multiple malware implants.

Russian attackers

The malware deployed in this campaign is called CurlyShell and CurlCat, both of which provide a reverse shell. The hackers also deployed PowerShell scripts which granted remote authentication and arbitrary command execution capabilities.

To hide the activity in plain sight, they configured the VM to use the Default Switch network adapter in Hyper-V. That way, all of the VM’s traffic went through the host’s network stack using Hyper-V’s internal network.

"In effect, all malicious outbound communication appears to originate from the legitimate host machine's IP address," the researchers explained. "By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections."

Curly COMrades were first spotted in 2024 and while their activities align with the interests of the Russian Federation, a direct link was not found. In August 2025, Bitdefender reported that their victims included government and judicial organizations in Georgia, and energy companies in Moldova. The victims in this incident were not named.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors