On November 5, 2025, AlienVault released a new threat report titled Evasion and Persistence via Hidden Hyper‑V Virtual Machines that sheds light on the sophisticated tactics employed by the Curly COMrades threat actor. The investigation reveals how these adversaries leverage Windows 10 Hyper‑V virtualization to establish covert, long‑term footholds within victim networks. By embedding a lightweight Alpine Linux virtual machine (VM) inside a compromised host, the attackers create a hidden remote operating environment that effectively bypasses traditional host‑based endpoint detection and response (EDR) solutions.

At the core of this technique is the creation of a minimalistic Alpine Linux VM that hosts custom malware designed for reverse shell and proxy operations. The VM is configured to run silently in the background, with no obvious artifacts on the host operating system. Because the malware resides inside a separate virtual environment, conventional host‑based EDR tools—often limited to monitoring processes and file system changes on the main OS—are unable to detect its activity. This stealthy approach allows the Curly COMrades to maintain persistence even after the initial compromise has been identified and remediated.

The report also documents a range of persistence mechanisms that complement the hidden VM strategy. PowerShell scripts are employed to establish scheduled tasks, modify registry keys, and execute malicious payloads during system startup. In addition, the threat actor manipulates Kerberos tickets to gain unauthorized access to privileged resources, effectively sidestepping authentication controls. Local account creation is another tactic used to ensure continued access; new user accounts with administrative privileges are added to the compromised machine, providing a fallback entry point if the primary VM is detected and removed.

International collaboration played a pivotal role in uncovering the full extent of the attack. The Georgian CERT worked closely with AlienVault analysts to map the command‑and‑control (C2) infrastructure, identifying the domains and IP addresses used to coordinate the hidden VM operations. This partnership enabled a comprehensive understanding of the threat actor’s capabilities and the scope of their network penetration.

From a defensive standpoint, the findings underscore the need for a multi‑layered security posture that extends beyond host‑based solutions. First and foremost, organizations should implement hypervisor‑level monitoring to detect anomalous VM creation and configuration changes. Tools that provide visibility into the virtualization stack—such as VMware vRealize Log Insight or Microsoft Defender for Endpoint’s Hyper‑V integration—can surface suspicious activity that would otherwise go unnoticed.

Second, endpoint detection and response solutions must be updated to recognize the unique footprint of embedded VMs. This includes monitoring for known Alpine Linux binaries, unusual network traffic patterns originating from virtual network adapters, and the execution of PowerShell scripts that attempt to manipulate Kerberos tickets or create local accounts. EDR platforms should also enforce strict execution policies that limit the ability of scripts to spawn new virtual environments without explicit administrative approval.

Third, organizations should adopt a zero‑trust approach to privileged access. Implementing least‑privilege policies, multi‑factor authentication for all administrative accounts, and continuous monitoring of privileged session activity can reduce the window of opportunity for threat actors to establish persistence through hidden VMs.

Finally, security teams should maintain an up‑to‑date inventory of all virtual machines and associated host configurations. Regularly auditing the virtualization environment for unauthorized changes, coupled with automated alerts for new VM creation events, can provide early warning of potential compromise.

In summary, the Curly COMrades’ use of hidden Hyper‑V virtual machines represents a significant evolution in adversary tactics, combining stealthy virtualization with traditional persistence techniques to evade detection. By enhancing hypervisor visibility, strengthening endpoint detection, enforcing strict privileged access controls, and maintaining vigilant VM inventory management, organizations can mitigate the risk posed by this advanced threat.