Attackers Turn QEMU Into a Stealth Backdoor for Credential Theft and Ransomware

Threat actors are now weaponizing QEMU, a legitimate open-source machine emulator and virtualizer, as a covert backdoor to steal credentials and deliver ransomware without triggering endpoint security alerts.

This alarming shift in attacker behavior highlights how freely available, trusted software tools are being twisted into powerful evasion weapons inside enterprise environments.

QEMU, which is widely used for hardware virtualization and software testing, has become an attractive target for abuse because malicious activity running inside a virtual machine (VM) is essentially invisible to most endpoint protection tools.

Security controls installed on the host system cannot see what happens inside the hidden VM, and these attacks leave very little forensic evidence behind for investigators to recover. This makes QEMU-based intrusions extremely difficult to detect and contain in real time.

Sophos analysts are actively investigating the abuse of QEMU by threat actors who are running hidden VMs to conceal their operations, harvest domain credentials, and stage ransomware deployments against targeted organizations.

Their research identified two distinct attack campaigns operating since late 2025, tracked as STAC4713 and STAC3725, both of which exploit virtualization as a core evasion strategy.

The analysts noted that this technique is not entirely new, but the recent rise in QEMU-related incidents points to a growing trend among sophisticated threat groups.

The STAC4713 campaign, first spotted in November 2025, is directly linked to the PayoutsKing ransomware operation and is attributed to a threat group known as GOLD ENCOUNTER.

PayoutsKing emerged in mid-2025 and notably does not operate under a ransomware-as-a-service model, meaning the group executes attacks directly rather than relying on affiliates.

Sophos analysis reveals that the group specifically targets hypervisor environments and has developed encryptors designed for both VMware and ESXi platforms.

The second campaign, STAC3725, first appeared in February 2026 and exploits the CitrixBleed2 vulnerability (CVE-2025-5777) as its initial entry point.

After gaining access, attackers install a malicious ScreenConnect client to maintain persistence and then deploy a QEMU VM to run credential theft operations against the victim’s Active Directory environment.

The infection chain used in the STAC4713 campaign begins with attackers creating a scheduled task named “TPMProfiler,” which runs the QEMU executable (qemu-system-x86_64.exe) under the SYSTEM account.

The task boots using a virtual hard disk image that uses uncommon file extensions to avoid detection, earlier disguised as vault.db and later changed to a DLL file named bisrv.dll in January 2026.

This clever file masquerading is a deliberate step to make the virtual disk blend into legitimate system files and slip past security monitoring tools.

Once the scheduled task runs, it also sets up port forwarding from custom ports (32567 and 22022) to port 22 for SSH access.

On system boot, the disk image uses AdaptixC2 or OpenSSH to establish a reverse SSH tunnel to a remote IP address, creating a hidden remote access channel that completely bypasses standard endpoint detections.

The QEMU VM itself hosts an Alpine Linux 3.22.0 image preloaded with attacker tools including Linker2, AdaptixC2, a custom WireGuard traffic obfuscator called wg-obfuscator, BusyBox, Chisel, and Rclone.

In STAC3725, rather than deploying a pre-built toolkit, attackers manually compile their full attack suite inside the VM.

This includes Impacket, KrbRelayX, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit, along with supporting libraries for Python, Rust, Ruby, and C.

Observed malicious activity included downloading credentials, enumerating Kerberos usernames via Kerbrute, performing Active Directory reconnaissance via BloodHound, and staging payloads using FTP servers.

Organizations should take the following defensive actions in response to this threat:-

• Audit all environments for unauthorized QEMU installations and unexpected scheduled tasks, especially any running under the SYSTEM account.
• Monitor outbound SSH tunnels originating from non-standard ports and flag any virtual disk images carrying uncommon file extensions such as .db, .dll, or .qcow2.
• Enforce multi-factor authentication (MFA) on all VPN and remote access systems to limit initial access opportunities.
• Apply patches for known vulnerabilities, including CitrixBleed2 (CVE-2025-5777) and SolarWinds Web Help Desk (CVE-2025-26399), to reduce exposure to active exploitation.
• Implement network-level detection rules to identify unusual port forwarding configurations targeting port 22 from non-standard source ports.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.