Russian-aligned threat actor Curly COMrades (also tracked as KTA487) has adopted advanced techniques to evade endpoint detection and response (EDR) solutions by leveraging Microsoft Hyper-V virtualization. Attackers deploy hidden Alpine Linux virtual machines within compromised Windows hosts, running custom reverse shells and proxies that operate outside the visibility of traditional security tools. This approach allows malicious traffic to be NAT-translated through the legitimate host IP, achieving a high degree of stealth and persistence, and represents a significant evolution in threat actor tradecraft targeting enterprise environments.
Security researchers, including Bitdefender and Kroll, have documented these tactics as part of a broader trend in which sophisticated actors exploit legitimate system features to bypass commodity security controls. The use of architectural isolation, rather than direct engagement with EDR, signals a shift in adversary strategy and highlights the need for defenders to monitor for virtualization abuse and anomalous Hyper-V activity on endpoints. The campaign was first observed in July 2025 and publicly disclosed in November 2025, underscoring the ongoing risk to organizations relying solely on traditional endpoint security measures.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Initial story creation
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.