A gang known as Curly COMrades is using the tech to quietly spin up Alpine Linux VMs on Windows 10 machines, giving them free rein to install covert implants without raising a single EDR alarm.

Bitdefender researchers uncovered the stunt, which involves enabling Hyper-V, creating a stripped-down Linux VM using just 120MB of disk space and 256MB of RAM, and hosting a suite of malicious tools from within it. Because the malware isn’t running on Windows, Windows-based defences are about as useful as a chocolate teapot.

Bitdefender security researcher Victor Vrabie warned: “By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections.”

Once inside, the COMrades deployed tools like CurlyShell and CurlCat for persistent remote access and network tunnelling, all routed through the host’s IP address to avoid suspicion. The VM was set up to communicate with their command-and-control servers using proxy tools such as Resocks, Rsockstun, Ligolo-ng, CCProxy, Stunnel and SSH-based methods, turning the Windows host into a stealth gateway.

Hyper-V’s management interface was disabled to keep the whole setup hush-hush. The operation kicked off in July 2025 and was only detected after Georgia’s national CERT stumbled upon a CurlCat sample and roped in Bitdefender to investigate.

The researchers said the malware avoided packing the VM with fluff, keeping it lightweight enough to stay off the radar while maintaining reverse shell and proxy capabilities. PowerShell scripts were used to inject Kerberos tickets, create local accounts and run remote commands.

Despite running inside a VM, the malware still had to send traffic over the network, which remains the only weak spot in an otherwise neat bit of trickery. Bitdefender’s report highlighted how traditional endpoint detection tools are becoming increasingly easy for attackers to sidestep.