Key Findings

• Sophos researchers identified a significant uptick in threat actors using QEMU, an open-source emulator, to hide malware in virtual machines and evade detection

• Two distinct campaigns since late 2025 leverage QEMU for defense evasion: STAC4713 linked to PayoutsKing ransomware and STAC3725 exploiting CitrixBleed2

• Attackers use hidden VMs to maintain long-term access, steal credentials and data, deploy ransomware, and leave minimal forensic traces on host systems

• The GOLD ENCOUNTER threat group, behind PayoutsKing, focuses on hypervisors and targets both VMware and ESXi environments without operating as a ransomware-as-a-service model

• Attack tactics have evolved, with actors shifting from QEMU-based persistence to exploiting VPNs, social engineering, and legitimate system tools

Background

Using virtual machines to hide malware is not a new technique, but threat actors are increasingly favoring this approach. QEMU and similar platforms like Hyper-V and VMware create environments that are difficult to detect and analyze, giving attackers more time to operate undetected on compromised networks. The stealthy nature of running malware inside virtualized environments allows adversaries to bypass endpoint security controls while leaving minimal traces. Over the years, attackers have used these platforms to host attack tools, create covert tunnels to command-and-control infrastructure, and deploy backdoors before launching ransomware campaigns.

STAC4713 Campaign and PayoutsKing Ransomware

STAC4713 emerged in late 2025 as a financially motivated campaign closely linked to the GOLD ENCOUNTER threat group and PayoutsKing ransomware operations. The group focuses specifically on hypervisored environments and has developed encryptors targeting both VMware and ESXi. Unlike ransomware-as-a-service models, GOLD ENCOUNTER operates independently and explicitly does not work with affiliates.

Attackers deploy QEMU through a scheduled task named "TPMProfiler" that runs a hidden virtual machine with SYSTEM-level privileges. Disk images are disguised as legitimate files such as databases or DLLs to avoid suspicion. Inside the VM, they run a lightweight Alpine Linux environment equipped with tunneling tools, obfuscation software, and data transfer utilities. Persistence is maintained through port forwarding and reverse SSH tunnels, enabling covert remote access that bypasses detection systems.

From within the hidden VM, attackers use legitimate Windows system tools to extract credentials, copy Active Directory databases, and explore network shares. This approach allows them to blend malicious activity with normal system operations, making detection significantly harder.

Initial access varied across intrusions. Older incidents exploited unprotected SonicWall VPNs lacking multi-factor authentication. By January 2026, attackers began leveraging CVE-2025-26399, a SolarWinds Web Help Desk vulnerability, for initial compromise. Microsoft and Huntress reported similar observations of this vulnerability leading to QEMU deployment in February 2026.

By early 2026, the campaign shifted tactics. Attackers moved away from QEMU-based access and began exploiting exposed VPNs while using social engineering techniques including phishing emails and fake IT support via Microsoft Teams. They also abused legitimate binaries to sideload malware and employed tools like Rclone for data exfiltration to remote servers, demonstrating an adaptive and evolving threat strategy.

STAC3725 Campaign and CitrixBleed2 Exploitation

The STAC3725 campaign, first identified in early 2026, follows a different initial access vector. Attackers exploit the CitrixBleed2 vulnerability to gain entry into target environments. Once inside, they establish persistence by installing a malicious ScreenConnect client and creating a new administrative account.

Following initial compromise, attackers deploy a QEMU virtual machine to conduct reconnaissance and credential theft operations. Within the VM, they manually assemble a toolkit including Impacket, BloodHound, Kerbrute, and Metasploit to map network topology and extract sensitive data. They simultaneously weaken host defenses by modifying registry settings, disabling security protections, and installing vulnerable drivers.

Post-compromise activities suggest that access is sometimes sold to other threat actors. In certain cases, attackers deploy additional management tools for persistence, while in others they may hand off access to different groups for further exploitation.

Sources

• https://securityaffairs.com/190982/security/hidden-vms-how-hackers-leverage-qemu-to-stealthily-steal-data-and-spread-malware.html

• https://x.com/hackplayers/status/2045534088639979591

• https://x.com/shah_sheikh/status/2045531885603070125/photo/1