ZeroDay Field Notes - ZeroDay Field Notes: Hiding in Plain Sight with Hyper-V

It's UncleSp1d3r. The cat-and-mouse game between us and the EDR vendors just got a lot more interesting. For years, we've been finding creative ways to run our tools without getting zapped by the latest kernel-level magic. This week, we got a beautiful, real-world example of just how far actors are willing to go to stay hidden. Forget shellcode injection and reflective loading for a minute; we're talking about bringing your own damn operating system.

It's a reminder that the hypervisor can be your best friend or your worst enemy, depending on which side of the glass you're on. This is the kind of tradecraft that makes you sit up and take notes. If you're not thinking about how to abuse virtualization features on your engagements, you're already behind.

EDR Evasion of the Week: The Hyper-V Hideout

The top story for any operator this week comes from Bitdefender, who put out a fantastic report on the Russia-aligned group they call Curly COMrades. These folks have been abusing a feature most of us ignore on Windows 10+ endpoints: Hyper-V.

As detailed in their report, "Curly COMrades: Evasion and Persistence via Hidden Hyper-V Virtual Machines," the actors gain access to a host and then use DISM and PowerShell to quietly enable the Hyper-V role. From there, they import and run a minimal Alpine Linux VM. Inside this nested doll, they run their custom C++ implants: CurlyShell (a reverse shell) and CurlCat (a reverse proxy/tunnel).

The beauty of this technique is twofold. First, the implants are running inside a separate OS, making them invisible to most host-based EDRs that are blind to what's happening inside the VM's memory. Second, by using the Hyper-V Default Switch, all C2 traffic from the Linux VM is NAT'd, appearing to originate from the compromised Windows host's IP address. It's a brilliant way to blend in with legitimate network traffic. The report also notes their use of Kerberos ticket injection for lateral movement and GPO abuse for persistence. This is a full-chain methodology worth studying.

Creative C2: Living Off the Management Plane

The trend of abusing legitimate services for command and control continues to evolve.

Palo Alto Networks' Unit 42 dropped a report on a new malware family called Airstalk. This implant uses the VMware AirWatch/Workspace ONE UEM API as a covert C2 channel. As detailed in "Suspected Nation-State Threat Actor Uses New Airstalk Malware," the malware communicates by reading and writing to custom device attributes within the MDM platform. From a network monitoring perspective, the traffic looks like legitimate MDM activity, making it a nightmare to detect without direct access to API logs. The malware itself is a standard grab-bag of browser data theft and screenshotting capabilities.

In a more experimental vein, Google's Threat Intelligence Group (GTIG) reported on a VBScript dropper named PROMPTFLUX. This little oddity uses Google's own Gemini API to regenerate its own code at runtime. According to the GTIG report, the script contains hard-coded API keys and periodically calls the gemini-1.5-flash-latest model to get a new version of itself, which it then writes to the Startup folder. While Google says it's still in the experimental stage, this "just-in-time" metamorphic capability is something to keep an eye on.

Delivery and Persistence: The Classics Endure

While EDR evasion gets more exotic, the methods for getting on the box and staying there remain stubbornly effective.

• Gootloader is Back: Huntress Labs has a great write-up on the return of Gootloader. The crew is still using SEO poisoning to lure victims, but now delivers an XOR-encrypted ZIP that unpacks to a malicious JScript file. The notable change is in persistence: they've moved from scheduled tasks to creating .lnk files in the Startup folder, complete with assigned hotkeys. It's a simple, but often overlooked, technique.
• ValleyRAT's Bag of Tricks: Picus Security dissected a multi-stage ValleyRAT campaign that's a goldmine for TTPs. It uses a .NET loader to inject the RAT into MSBuild.exe, leverages multiple known UAC bypasses (including the ms-settings and mscfile registry keys), and even runs PowerShell to add its own path to the Microsoft Defender exclusion list. A solid playbook.
• Kimsuky's JS Dropper: Pulsedive analyzed a classic Kimsuky infection chain starting with a JavaScript dropper. It uses Windows Script Host to fetch a second stage, performs recon (systeminfo, tasklist, etc.), stages the output in a CAB file using certutil, and exfiltrates via HTTP POST. Persistence is achieved via a recurring scheduled task named "Windows Theme Manager" that executes wscript.exe every minute.

The $128 Million Rounding Error

Finally, for those of you who dabble in the world of Web3, a cautionary tale. The DeFi protocol Balancer suffered a massive ~$128 million loss due to a laughably simple bug. As detailed by Check Point Research, an attacker found a rounding-direction flaw in Balancer's V2 stable pools. By combining this with a flash loan and batchSwap, they were able to manipulate the Balancer Pool Token (BPT) price to near zero and drain the pools across multiple blockchains. It’s a stellar example of how a tiny logical flaw in a complex system can lead to catastrophic failure.

The takeaway this week is that our targets are complex systems full of legitimate, abusable features. From Hyper-V to MDM APIs, the line between admin tool and implant is blurrier than ever. The best operators aren't just bringing exploits; they're bringing a deep understanding of the environment and using it against itself.

Keep digging.

— UncleSp1d3r