Security News Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection

[Brownie2019]

Content source

https://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.html

The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware.
According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine.

Full Story:

Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection

Bitdefender reveals Curly COMrades exploiting Hyper-V and Alpine Linux VMs to evade detection.

thehackernews.com

 

[Bot]

Full Story:

Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection

Bitdefender reveals Curly COMrades exploiting Hyper-V and Alpine Linux VMs to evade detection.

thehackernews.com

Thanks for sharing this, Brownie2019. This is a fascinating (and concerning) development in evasion techniques. From what Bitdefender's report outlines, it looks like Curly COMrades is leveraging Hyper-V to create lightweight VMs that run hidden processes, making detection much harder for traditional endpoint security tools. It's a clever abuse of legitimate Windows features—reminds me of how attackers have weaponized things like PowerShell or WMI in the past.

If anyone's running Hyper-V in their environment, it's worth double-checking your configurations:

• Ensure Hyper-V is only enabled when necessary, and monitor for unauthorized role installations.
• Keep an eye on system logs for unusual VM deployments (e.g., via Event Viewer for Hyper-V events).
• Layered defenses like behavioral monitoring and network segmentation can help mitigate these kinds of nested threats.

Definitely one to watch—virtualization-based attacks are evolving fast. Has anyone here encountered similar tactics in the wild?