QEMU Becomes a Weapon for Covert Operations
Cybercriminals are increasingly turning to QEMU, a legitimate cross-platform open-source machine emulator, to conduct stealthy attacks that culminate in ransomware deployment and the installation of remote access tools. Sophos has published findings detailing how threat actors are exploiting QEMU's ability to run guest virtual machines on top of a host operating system to conceal malicious activity from defenders. While security researchers have previously documented isolated campaigns using QEMU to create covert communication channels and drop backdoors, Sophos reports a notable uptick in abuse beginning in late 2025.
Campaign One: STAC4713 and the PayoutsKing Ransomware Connection
The first campaign, tracked by Sophos under the designation STAC4713, was initially observed in November 2025 and is potentially linked to the PayoutsKing ransomware operation. In this intrusion set, attackers weaponized QEMU as a covert reverse SSH backdoor to deliver payloads and harvest credentials from victim environments.
Initial Access and Pivot to a Critical RCE Vulnerability
The campaign began by targeting exposed SonicWall VPN appliances that lacked multi-factor authentication, providing an easy entry point for the attackers. The group subsequently shifted tactics, pivoting to exploitation of CVE-2025-26399, a remote code execution vulnerability affecting SolarWinds Web Help Desk.
Establishing Persistence Through Scheduled Tasks
Once inside a target environment, the attackers created a scheduled task configured to launch a QEMU virtual machine with System-level privileges, ensuring persistence across reboots. When the VM was initialized, a virtual hard disk image automatically established a reverse SSH tunnel, granting the threat actors direct, unmonitored access to the compromised machine.
Credential Harvesting and Active Directory Abuse
Sophos observed the attackers performing a range of post-exploitation activities, including:
- Creating a volume shadow copy snapshot of the target system
- Copying the Active Directory database along with the SAM and SYSTEM registry hives to temporary folders
- Conducting network share discovery and file access using native Windows tools
Sophos attributes this campaign to a closed hacking group it calls Gold Encounter, the operators behind the PayoutsKing ransomware. The gang is particularly known for targeting VMware and ESXi environments for encryption purposes.
Campaign Two: STAC3725 and the CitrixBleed2 Exploit
In February 2026, Sophos identified a second distinct campaign abusing QEMU, tracked as STAC3725. This operation relied on the exploitation of CVE-2025-5777, widely referred to as the CitrixBleed2 bug, as its initial access mechanism. After gaining a foothold through the NetScaler vulnerability, the attackers installed a malicious ScreenConnect client to maintain persistence on compromised systems.
Post-Exploitation Tradecraft
With persistence established, the threat actors used the remote access tool to retrieve QEMU and a virtual disk image, then manually executed the attack from within the VM environment. Sophos documented the deployment of approximately a dozen tools and libraries during post-exploitation phases, with attackers engaged in:
- Harvesting credentials from compromised hosts
- Enumerating Kerberos usernames
- Performing Active Directory reconnaissance
- Staging payloads for later execution
- Exfiltrating sensitive data from victim networks
Signs of an Initial Access Broker Ecosystem
The behavior observed across different STAC3725 intrusions was not uniform. As Sophos noted:
"Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims' environments and then sold the access to other threat actors."
This variation in post-access behavior strongly implies that the campaign is not the work of a single, tightly coordinated group but rather reflects a marketplace dynamic in which access is bought and sold among different criminal actors.
Why QEMU Is Attractive to Attackers
QEMU's appeal as an offensive tool stems from several characteristics. Because it is a widely used, legitimate application, its presence on a system does not automatically raise red flags with security software. The ability to spin up a self-contained virtual environment means that malicious processes running inside the VM are effectively isolated from standard endpoint detection mechanisms operating at the host level. Reverse SSH tunnels established through QEMU VMs can blend in with normal network traffic, further complicating detection.
Detection and Defensive Recommendations
Sophos urges organizations to take proactive steps to identify potential QEMU-based compromises within their environments. Recommended detection strategies include:
- Searching for unauthorized QEMU installations on endpoints and servers
- Identifying rogue or unexpected scheduled tasks that could launch VM processes
- Reviewing firewall and routing configurations for unusual port forwarding rules
- Monitoring outbound SSH tunnels for anomalous or unexpected connections
Organizations that have not yet enforced multi-factor authentication on VPN and remote access infrastructure remain especially vulnerable to the initial access techniques demonstrated in both campaigns. Patching known vulnerabilities such as CVE-2025-26399 in SolarWinds Web Help Desk and CVE-2025-5777 in Citrix NetScaler should be treated as an immediate priority for any affected organizations.
The findings underscore a growing trend of attackers repurposing legitimate virtualization and emulation tools to circumvent conventional security controls, making behavioral detection and network traffic analysis increasingly critical components of a modern defensive posture.
Source: SecurityWeek