"Curly COMrades Abuses Hyper-V to Hide Malware in Linux VMs - Curly COMrades, a threat actor supporting Russia's geopolitical interests, has been observed abusing Microsoft's Hyper-V hypervisor in compromised Windows machines to create a hidden Alpine Linux-based virtual machine and deploy malicious payloads. This method allows the malware to run completely outside the host operating system's visibility, effectively bypassing endpoint security tools."
"The threat actors are said to have configured the virtual machine to use the Default Switch network adaptor in Hyper-V to ensure that the VM's traffic travels through the host's network stack using Hyper-V's internal Network Address Translation (NAT) service, causing all malicious outbound communication to appear to originate from the legitimate host machine's IP address. Further investigation has revealed that the attackers first used the Windows Deployment Image Servicing and Management (DISM) command-line tool to enable the Hyper-V hypervisor"
Attackers are increasingly using Hyper-V hypervisor abuse to hide Alpine Linux VMs on compromised Windows hosts, deploying CurlyShell and CurlyCat and running payloads outside host OS visibility to evade endpoint defenses. The malicious VM used Hyper-V's Default Switch NAT so outbound traffic appeared to originate from the legitimate host IP. The actors enabled Hyper-V via the DISM tool and disabled Hyper-V Manager, then delivered VHDX and VMCX files inside a RAR archive masquerading as an MP4. Additional trends include side-channel leaks exposing AI chat data, sleeper logic bombs, stealthy Android spyware in the wild, and growing collaboration among major threat groups.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]