Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Mycelium Framework: First AI-as-a-Service Botnet Discovered
July 8, 2026
Critical SharePoint RCE Vulnerability CVE-2023-29357 Gets PoC Exploit Code
July 8, 2026
Critical Android 14 vulnerability lets attackers gain full control
July 8, 2026
Home/Threats/Critical QEMU flaw lets attackers steal credentials, deploy ransomware
Threats

Critical QEMU flaw lets attackers steal credentials, deploy ransomware

Key Takeaways Threat actors are exploiting QEMU, a legitimate virtualization tool, to create hidden virtual machines (VMs) for credential theft and ransomware deployment. These covert VMs allow...

Sarah simpson
Sarah simpson
April 20, 2026 4 Min Read
43 0

Key Takeaways

  • Threat actors are exploiting QEMU, a legitimate virtualization tool, to create hidden virtual machines (VMs) for credential theft and ransomware deployment.
  • These covert VMs allow attackers to evade endpoint security detection and leave minimal forensic evidence.
  • Two campaigns, STAC4713 (linked to PayoutsKing ransomware) and STAC3725 (exploiting CitrixBleed2), have been identified since late 2025.
  • Attackers are using sophisticated techniques like scheduled tasks, port forwarding, and masqueraded virtual disk images to maintain persistence and exfiltrate data.
  • Organizations must audit for unauthorized QEMU installations, monitor network traffic for unusual SSH tunnels, and apply critical patches to mitigate risks.

Cybersecurity researchers have uncovered a concerning trend: threat actors are actively weaponizing QEMU, a widely used open-source machine emulator and virtualizer, to establish stealthy backdoors within enterprise networks. This sophisticated evasion tactic enables attackers to covertly steal credentials and deploy ransomware while bypassing traditional endpoint security solutions.

Table Of Content

  • Key Takeaways
  • Campaign STAC4713: PayoutsKing Ransomware
  • Campaign STAC3725: CitrixBleed2 Exploitation
  • Inside the Attack: How QEMU Becomes a Hidden Weapon
  • What You Should Do

This development signifies a critical evolution in attacker methodologies, where trusted, legitimate software tools are repurposed into potent weapons for evading detection within corporate environments.

QEMU, integral to hardware virtualization and software testing, presents an attractive target for abuse because malicious operations executed within a hidden virtual machine (VM) are largely invisible to most endpoint protection tools. Security controls residing on the host system are unable to monitor activities occurring inside these concealed VMs, resulting in minimal forensic artifacts for investigators to analyze. This characteristic renders QEMU-based intrusions exceptionally challenging to detect and contain in real-time.

Analysts at Sophos are currently investigating the active exploitation of QEMU by threat actors. These groups are leveraging hidden VMs to obscure their operations, harvest domain credentials, and orchestrate ransomware attacks against targeted organizations.

Sophos’s research has identified two distinct attack campaigns, designated STAC4713 and STAC3725, both operational since late 2025. These campaigns centrally employ virtualization as a core strategy for evasion.

While the technique itself is not entirely novel, the recent surge in QEMU-related incidents suggests a growing adoption among advanced threat groups.

Campaign STAC4713: PayoutsKing Ransomware

The STAC4713 campaign, first observed in November 2025, has been directly linked to the PayoutsKing ransomware operation and attributed to the threat group known as GOLD ENCOUNTER. PayoutsKing emerged in mid-2025 and operates outside the typical ransomware-as-a-service (RaaS) model, meaning the group directly executes attacks rather than relying on affiliates. Sophos’s analysis indicates that GOLD ENCOUNTER specifically targets hypervisor environments and has developed encryptors compatible with both VMware and ESXi platforms.

Campaign STAC3725: CitrixBleed2 Exploitation

The second campaign, STAC3725, first emerged in February 2026. This operation exploits the CitrixBleed2 vulnerability (CVE-2025-5777) as its initial access vector. Following successful entry, attackers install a malicious ScreenConnect client for persistence. Subsequently, they deploy a QEMU VM to conduct credential theft operations against the victim’s Active Directory environment.

Inside the Attack: How QEMU Becomes a Hidden Weapon

The infection chain observed in the STAC4713 campaign commences with attackers creating a scheduled task named “TPMProfiler.” This task executes the QEMU executable (qemu-system-x86_64.exe) under the SYSTEM account. The VM boots from a virtual hard disk image that utilizes unconventional file extensions to avoid detection. Initially disguised as vault.db, this file was later changed to a DLL file named bisrv.dll in January 2026. This deliberate file masquerading is intended to help the virtual disk blend in with legitimate system files and bypass security monitoring tools.

Upon execution, the scheduled task also configures port forwarding from custom ports (32567 and 22022) to port 22 for SSH access. During system boot, the disk image employs either AdaptixC2 or OpenSSH to establish a reverse SSH tunnel to a remote IP address, thereby creating a hidden remote access channel that completely bypasses standard endpoint detections. The QEMU VM itself hosts an Alpine Linux 3.22.0 image, preloaded with attacker tools including Linker2, AdaptixC2, a custom WireGuard traffic obfuscator named wg-obfuscator, BusyBox, Chisel, and Rclone.

In the STAC3725 campaign, attackers take a different approach. Instead of deploying a pre-built toolkit, they manually compile their entire attack suite within the VM. This suite includes tools such as Impacket, KrbRelayX, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit, along with supporting libraries for Python, Rust, Ruby, and C. Observed malicious activities encompassed downloading credentials, enumerating Kerberos usernames via Kerbrute, performing Active Directory reconnaissance using BloodHound, and staging payloads through FTP servers.

What You Should Do

  • Audit for Unauthorized QEMU: Conduct thorough audits of all environments for any unauthorized QEMU installations and unexpected scheduled tasks, particularly those operating under the SYSTEM account.
  • Monitor Outbound SSH Tunnels: Implement robust monitoring for outbound SSH tunnels originating from non-standard ports. Flag any virtual disk images exhibiting uncommon file extensions such as .db, .dll, or .qcow2.
  • Enforce Multi-Factor Authentication (MFA): Mandate multi-factor authentication (MFA) across all VPN and remote access systems to significantly limit initial access opportunities for attackers.
  • Apply Critical Patches: Promptly apply all available patches for known vulnerabilities, including CitrixBleed2 (CVE-2025-5777) and SolarWinds Web Help Desk (CVE-2025-26399), to reduce exposure to active exploitation.
  • Implement Network Detection Rules: Establish network-level detection rules to identify unusual port forwarding configurations that target port 22 from non-standard source ports.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchransomwareSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Microsoft Teams Update Causes Desktop Client Launch Failures

Next Post

Critical Microsoft Teams, Quick Assist Flaws Let Attackers Impersonate Helpdesk

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Discord Bug Mistakenly Banned Over 8,000 Accounts Since May
July 8, 2026
China-Linked Hackers Exploit Critical Ruckus Router Flaws
July 8, 2026
Critical GhostLock Vulnerability in Linux Kernel Lets Attackers Escalate Privileges
July 8, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us