- AWS says Russian GRU‑linked groups have spent years exploiting misconfigured edge devices to persist inside Western critical infrastructure
- Activity overlaps with Curly COMrades, whose tooling abuses Hyper‑V and Linux VMs for stealthy persistence
- Amazon urges urgent audits of edge gear, credential‑reuse checks, and monitoring for suspicious admin‑portal access
For almost half a decade, Russian state-sponsored threat actors have been abusing misconfigurations in network gear, as well as different vulnerabilities, to establish persistence in key infrastructure organizations in the west, experts have warned.
In a new threat report (va The Register), CJ Moses, Chief Information Security Officer (CISO) at Amazon Integrated Security, highlighted the scale of the campaign, which has been ongoing for several years.
“The campaign demonstrates sustained focus on Western critical infrastructure, particularly the energy sector, with operations spanning 2021 through the present day,” Moses said.
Hiding in plain sight
In most cases, the threat actors are looking at enterprise routers, VPN concentrators, remote access gateways, and network management appliances.
While they have been abusing multiple vulnerabilities, including many zero-day flaws, they are primarily focused on abusing misconfigurations. This is, Moses argues, because abusing misconfigurations leaves a significantly smaller footprint and as such is a lot more difficult to spot and prevent.
Some of the edge devices being targeted are hosted as virtual appliances on AWS, the report further states, adding that the company is hard at work “continually disrupting” the campaigns as soon as malicious activity is spotted.
Trying to attribute the campaign to a specific threat actor turned out to be somewhat challenging, but AWS has reason to believe this is a broader Main Intelligence Directorate (GRU) campaign, with multiple groups involved.
One of the entities being linked to the attacks is called Curly COMrades, a group that has, among other things, been hiding their malware in Linux-based VMs deployed on Windows devices.
In November this year, security researchers from Bitdefender reported Curly COMrades running remote commands to enable the microsoft-hyper-v virtualization feature and disable its management interface. Then, they used the feature to download a lightweight Alpine Linux-based VM containing multiple malware implants.
“Going into 2026, organizations must prioritize securing their network edge devices and monitoring for credential replay attacks to defend against this persistent threat,” Moses concluded.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
