Critical QEMU flaw lets attackers steal credentials, deploy ransomware
Key Takeaways Threat actors are exploiting QEMU, a legitimate virtualization tool, to create hidden virtual machines (VMs) for credential theft and ransomware deployment. These covert VMs allow...
Key Takeaways
- Threat actors are exploiting QEMU, a legitimate virtualization tool, to create hidden virtual machines (VMs) for credential theft and ransomware deployment.
- These covert VMs allow attackers to evade endpoint security detection and leave minimal forensic evidence.
- Two campaigns, STAC4713 (linked to PayoutsKing ransomware) and STAC3725 (exploiting CitrixBleed2), have been identified since late 2025.
- Attackers are using sophisticated techniques like scheduled tasks, port forwarding, and masqueraded virtual disk images to maintain persistence and exfiltrate data.
- Organizations must audit for unauthorized QEMU installations, monitor network traffic for unusual SSH tunnels, and apply critical patches to mitigate risks.
Cybersecurity researchers have uncovered a concerning trend: threat actors are actively weaponizing QEMU, a widely used open-source machine emulator and virtualizer, to establish stealthy backdoors within enterprise networks. This sophisticated evasion tactic enables attackers to covertly steal credentials and deploy ransomware while bypassing traditional endpoint security solutions.
Table Of Content
This development signifies a critical evolution in attacker methodologies, where trusted, legitimate software tools are repurposed into potent weapons for evading detection within corporate environments.
QEMU, integral to hardware virtualization and software testing, presents an attractive target for abuse because malicious operations executed within a hidden virtual machine (VM) are largely invisible to most endpoint protection tools. Security controls residing on the host system are unable to monitor activities occurring inside these concealed VMs, resulting in minimal forensic artifacts for investigators to analyze. This characteristic renders QEMU-based intrusions exceptionally challenging to detect and contain in real-time.
Analysts at Sophos are currently investigating the active exploitation of QEMU by threat actors. These groups are leveraging hidden VMs to obscure their operations, harvest domain credentials, and orchestrate ransomware attacks against targeted organizations.
Sophos’s research has identified two distinct attack campaigns, designated STAC4713 and STAC3725, both operational since late 2025. These campaigns centrally employ virtualization as a core strategy for evasion.
While the technique itself is not entirely novel, the recent surge in QEMU-related incidents suggests a growing adoption among advanced threat groups.
Campaign STAC4713: PayoutsKing Ransomware
The STAC4713 campaign, first observed in November 2025, has been directly linked to the PayoutsKing ransomware operation and attributed to the threat group known as GOLD ENCOUNTER. PayoutsKing emerged in mid-2025 and operates outside the typical ransomware-as-a-service (RaaS) model, meaning the group directly executes attacks rather than relying on affiliates. Sophos’s analysis indicates that GOLD ENCOUNTER specifically targets hypervisor environments and has developed encryptors compatible with both VMware and ESXi platforms.
Campaign STAC3725: CitrixBleed2 Exploitation
The second campaign, STAC3725, first emerged in February 2026. This operation exploits the CitrixBleed2 vulnerability (CVE-2025-5777) as its initial access vector. Following successful entry, attackers install a malicious ScreenConnect client for persistence. Subsequently, they deploy a QEMU VM to conduct credential theft operations against the victim’s Active Directory environment.
Inside the Attack: How QEMU Becomes a Hidden Weapon
The infection chain observed in the STAC4713 campaign commences with attackers creating a scheduled task named “TPMProfiler.” This task executes the QEMU executable (qemu-system-x86_64.exe) under the SYSTEM account. The VM boots from a virtual hard disk image that utilizes unconventional file extensions to avoid detection. Initially disguised as vault.db, this file was later changed to a DLL file named bisrv.dll in January 2026. This deliberate file masquerading is intended to help the virtual disk blend in with legitimate system files and bypass security monitoring tools.
Upon execution, the scheduled task also configures port forwarding from custom ports (32567 and 22022) to port 22 for SSH access. During system boot, the disk image employs either AdaptixC2 or OpenSSH to establish a reverse SSH tunnel to a remote IP address, thereby creating a hidden remote access channel that completely bypasses standard endpoint detections. The QEMU VM itself hosts an Alpine Linux 3.22.0 image, preloaded with attacker tools including Linker2, AdaptixC2, a custom WireGuard traffic obfuscator named wg-obfuscator, BusyBox, Chisel, and Rclone.
In the STAC3725 campaign, attackers take a different approach. Instead of deploying a pre-built toolkit, they manually compile their entire attack suite within the VM. This suite includes tools such as Impacket, KrbRelayX, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit, along with supporting libraries for Python, Rust, Ruby, and C. Observed malicious activities encompassed downloading credentials, enumerating Kerberos usernames via Kerbrute, performing Active Directory reconnaissance using BloodHound, and staging payloads through FTP servers.
What You Should Do
- Audit for Unauthorized QEMU: Conduct thorough audits of all environments for any unauthorized QEMU installations and unexpected scheduled tasks, particularly those operating under the SYSTEM account.
- Monitor Outbound SSH Tunnels: Implement robust monitoring for outbound SSH tunnels originating from non-standard ports. Flag any virtual disk images exhibiting uncommon file extensions such as .db, .dll, or .qcow2.
- Enforce Multi-Factor Authentication (MFA): Mandate multi-factor authentication (MFA) across all VPN and remote access systems to significantly limit initial access opportunities for attackers.
- Apply Critical Patches: Promptly apply all available patches for known vulnerabilities, including CitrixBleed2 (CVE-2025-5777) and SolarWinds Web Help Desk (CVE-2025-26399), to reduce exposure to active exploitation.
- Implement Network Detection Rules: Establish network-level detection rules to identify unusual port forwarding configurations that target port 22 from non-standard source ports.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.