TZUTC: -0500   
   MSGID: 1675.consprcy@1:2320/105 2d70b3e6   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Russian hackers hit Windows machines via Linux VMs with new custom malware   
      
   Date:   
   Wed, 05 Nov 2025 13:22:00 +0000   
      
   Description:   
   Hiding malware in VMs bypasses security protections and hides traffic.   
      
   FULL STORY   
      
   Russian hackers known as Curly COMrades have been seen hiding their malware    
   in Linux-based virtual machines (VM) deployed on Windows devices, experts    
   have warned.    
      
   Security researchers from Bitdefender after analyzing the latest activities   
   together with the Georgian Computer Emergency Response Team (CERT), found   
   Curly COMrades first started targeting their victims in July 2025, when they   
   ran remote commands to enable the microsoft-hyper-v virtualization feature    
   and disable its management interface.    
      
   Then, they used the feature to download a lightweight Alpine Linux-based VM   
   containing multiple malware implants.   
      
   Russian attackers    
      
   The malware deployed in this campaign is called CurlyShell and CurlCat, both   
   of which provide a reverse shell. The hackers also deployed PowerShell    
   scripts which granted remote authentication and arbitrary command execution   
   capabilities.    
      
   To hide the activity in plain sight, they configured the VM to use the    
   Default Switch network adapter in Hyper-V. That way, all of the VMs traffic   
   went through the hosts network stack using Hyper-Vs internal network.    
      
   "In effect, all malicious outbound communication appears to originate from    
   the legitimate host machine's IP address," the researchers explained. "By   
   isolating the malware and its execution environment within a VM, the    
   attackers effectively bypassed many traditional host-based EDR detections."    
      
   Curly COMrades were first spotted in 2024 and while their activities align   
   with the interests of the Russian Federation, a direct link was not found. In   
   August 2025 , Bitdefender reported that their victims included government and   
   judicial organizations in Georgia, and energy companies in Moldova. The   
   victims in this incident were not named.    
      
   Bitdefender stressed that there are no strong overlaps with known Russian APT   
   groups, but Curly COMrades operations align with the geopolitical goals of    
   the Russian Federation."    
      
   Ever since Russias attention turned towards Ukraine in 2014 with the   
   annexation of Crimea, countries on its eastern border have lost the    
   spotlight. Georgia, however, is in a similar position to Ukraine, with two   
   regions declaring independence with the help of the Russian military - South   
   Ossetia, and Abkhazia. Therefore, it would make sense that Russias cyberspies   
   would like to keep tabs on neighboring countries and their diplomatic    
   efforts.    
      
    Via The Register    
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/russian-hackers-hit-windows-machines-vi   
   a-linux-vms-with-new-custom-malware   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426