- AWS says Russian groups linked to GRU have spent years exploiting misconfigured peripheral devices to persist inside Western critical infrastructure
- The activity overlaps with Curly COMrades, whose tools abuse Hyper‑V and Linux virtual machines to achieve stealth persistence
- Amazon urges urgent audits of edge equipment, credential reuse checks, and monitoring of suspicious admin portal access
For nearly half a decade, Russian state-sponsored threat actors have been abusing misconfigurations in network equipment, as well as different vulnerabilities, to establish persistence in key infrastructure organizations in the West, experts warned.
In a new threat report (vto The Registry), CJ Moses, chief information security officer (CISO) at Amazon Integrated Security, highlighted the scale of the campaign, which has been underway for several years.
“The campaign demonstrates a sustained focus on Western critical infrastructure, particularly the energy sector, with operations spanning 2021 to the present day,” Moses said.
Hidden in plain sight
In most cases, threat actors look for enterprise routers, VPN concentrators, remote access gateways, and network management devices.
While they have been abusing multiple vulnerabilities, including many zero-day flaws, they are primarily focused on abusing misconfigurations. This is because, Moses argues, abusing misconfigurations leaves a significantly smaller footprint and, as such, is much more difficult to detect and prevent.
Some of the edge devices targeted are hosted as virtual devices on AWS, the report further states, adding that the company is working hard to “continuously interrupt” campaigns as soon as malicious activity is detected.
Trying to attribute the campaign to a specific threat actor proved to be somewhat challenging, but AWS has reason to believe that this is a broader Main Intelligence Directorate (GRU) campaign, with multiple groups involved.
One of the entities linked to the attacks is called Curly COMrades, a group that, among other things, has been hiding its malware in Linux-based virtual machines deployed on Windows devices.
In November of this year, security researchers at Bitdefender reported that Curly COMrades was executing remote commands to enable the microsoft-hyper-v virtualization feature and disable its management interface. They then used the feature to download a lightweight Alpine Linux-based virtual machine containing multiple malware implants.
“Starting in 2026, organizations must prioritize securing their network devices and monitoring for credential replay attacks to defend against this persistent threat,” Moses concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
