Curly COMrades, a threat actor aligned with Russian geopolitical interests, has been observed leveraging Microsoft's Hyper-V hypervisor to deploy hidden Alpine Linux-based virtual machines on compromised Windows systems. By enabling Hyper-V via the DISM command-line tool and disabling its graphical management interface, the attackers create a concealed environment to run malware payloads such as CurlyShell and CurlyCat, evading detection by traditional endpoint security tools. The malicious VM is configured to use the Default Switch network adaptor, ensuring that all outbound traffic appears to originate from the legitimate host machine, further complicating detection and response efforts.
This technique allows the threat actors to operate outside the visibility of the host operating system, making it difficult for defenders to identify malicious activity. The campaign, first observed in July 2025, highlights a growing trend of sophisticated evasion tactics that blend virtualization technology with advanced persistence mechanisms. Victim identities have not been publicly disclosed, but the method demonstrates a significant escalation in the use of virtualization for stealthy cyber operations targeting Windows environments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
A new malware evasion approach using Hyper-V virtual machines was highlighted in reporting around November 2025, showing how attackers can use virtualization to hinder analysis and detection.
Malware research published in early November 2025 also covered newer detection approaches intended to improve defenders' ability to identify increasingly sophisticated malware families and techniques.
By early November 2025, reporting drew attention to ongoing malware operations associated with North Korean threat actors Kimsuky and Lazarus, underscoring their continued operational tempo.
Researchers reported malicious NuGet packages containing logic bombs designed to activate years after installation, demonstrating a long-dwell software supply-chain threat.
Threat intelligence reporting in early November 2025 described newly identified Android malware strains focused on banking theft and mobile surveillance, showing continued evolution in mobile threats.
Researchers disclosed that certain Visual Studio Code extensions were malicious and included functionality that could enable ransomware-style impact on infected systems.
Malware reporting in early November 2025 noted a renewed wave of Gootloader activity, indicating the malware family had re-emerged as an active threat in current campaigns.
By early November 2025, researchers reported a campaign using weaponized military-themed documents to infect defense-sector targets with an advanced backdoor combining SSH access and Tor-based communications.
By early November 2025, malware research highlighted a newly observed backdoor dubbed SesameOp that used the OpenAI Assistants API as part of its command-and-control communications, reflecting a novel abuse of AI infrastructure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
thehackernews.com
Open sourcesecurityaffairs.com
Open sourcesecurityaffairs.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.