Key Findings Sophos researchers identified a significant uptick in threat actors using QEMU, an open-source emulator, to hide malware in virtual machines and evade detection Two distinct campaigns since late 2025 leverage QEMU for defense evasion: STAC4713 linked to PayoutsKing ransomware and STAC3725 exploiting CitrixBleed2 Attackers use hidden VMs to maintain long-term access, steal credentials and data, deploy ransomware, and leave minimal forensic traces on host systems T
