Attackers are abusing QEMU to hide ransomware prep and credential theft inside virtual machines, Sophos says

Attackers are now using QEMU, a legitimate open-source machine emulator, to hide malicious activity inside virtual machines that many endpoint tools cannot inspect properly. Sophos says the technique supports long-term access, credential theft, data exfiltration, and ransomware deployment, all while reducing visibility on the infected host.

The company says it has tracked at least two separate campaigns using this approach since late 2025. One, tagged STAC4713, links to the PayoutsKing ransomware operation and a threat cluster Sophos calls GOLD ENCOUNTER. The other, STAC3725, used a different intrusion path but the same core idea: run attacker tooling inside a hidden QEMU guest so the host sees far less of what is actually happening.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

This matters because the trick does not rely on a fake tool or a novel implant. It abuses trusted software that administrators may already recognize, then turns virtualization into a shield for post-compromise activity. Sophos says the result is a stealthier backdoor that can help attackers harvest credentials, pivot through the network, and prepare ransomware with fewer obvious signs on the host itself.

How the QEMU attack chain works

In the STAC4713 campaign, Sophos says attackers created a scheduled task named TPMProfiler that launched qemu-system-x86_64.exe as SYSTEM. That task booted a virtual disk image disguised with misleading file extensions, first as vault.db and later as bisrv.dll, to make the VM payload blend in with normal files and avoid scrutiny.

Sophos says the same campaign also used port forwarding from unusual local ports to port 22 and established reverse SSH access from the guest environment. Inside that hidden VM, investigators found an Alpine Linux image loaded with tooling such as AdaptixC2, BusyBox, Chisel, Rclone, and a WireGuard obfuscation component, which gave the operators a full covert working environment separate from the host.

In STAC3725, Sophos says the attackers gained access by exploiting CitrixBleed2, tracked as CVE-2025-5777, then installed ScreenConnect and built their toolset inside the QEMU guest rather than dropping a ready-made package. The tools reportedly included Impacket, KrbRelayX, BloodHound.py, NetExec, Kerbrute, and Metasploit, all aimed at Active Directory discovery, credential abuse, and lateral movement.

Why defenders should pay attention

The main advantage for the attacker is visibility control. Actions performed inside the guest VM may not appear clearly in host-based monitoring, which means investigators can miss credential theft, reconnaissance, or payload staging until much later. Sophos says that makes QEMU especially attractive for operations that want to stay quiet before moving to exfiltration or encryption.

The initial access paths in these cases also show that the QEMU trick is only one part of a wider intrusion chain. Sophos linked one campaign to exposed SonicWall VPNs without MFA and later to SolarWinds Web Help Desk exploitation, while the second used CitrixBleed2 on NetScaler systems. Official advisories and vendor guidance confirm that both CVE-2025-5777 and CVE-2025-26399 have demanded urgent patching attention.

That means defenders should not focus only on QEMU binaries. They also need to look at how the attackers got in, what persistence they built, and whether outbound tunnels, unusual scheduled tasks, or disguised virtual disk files already exist in the environment. A hidden VM is dangerous on its own, but it becomes much worse when paired with compromised identity infrastructure or ransomware staging.

What Sophos observed in the two campaigns

What organizations should do now

Sophos says defenders should audit for unauthorized QEMU installations, unexpected scheduled tasks, and processes running under SYSTEM that launch virtualization components. Security teams should also look for virtual disk files with unusual extensions such as .db, .dll, or .qcow2, especially if those files sit in locations that do not make sense for legitimate VM workflows.

Organizations should also hunt for outbound SSH tunnels from non-standard ports, unusual local port forwarding to port 22, and signs of tools such as Rclone or Chisel appearing on systems that do not normally use them. Because one campaign targeted SolarWinds Web Help Desk and another used CitrixBleed2, patching exposed systems remains essential, not optional. Microsoft, NVD, Citrix, and Huntress have all published material that reinforces the urgency around these flaws.

For remote access and edge infrastructure, the basic controls still matter. Enforce MFA on VPN and administrative access, reduce exposure of public-facing appliances, and monitor for post-compromise actions that do not match the original server role. If a help desk platform, gateway, or VPN suddenly starts spawning unusual tasks, reverse tunnels, or virtualization processes, that should trigger immediate investigation.

Defensive priorities

• Audit for QEMU binaries, VM disk images, and scheduled tasks that should not exist.
• Patch Citrix NetScaler systems affected by CVE-2025-5777 and SolarWinds Web Help Desk instances affected by CVE-2025-26399 and related flaws.
• Enforce MFA on VPN and remote access systems to reduce easy initial access.
• Monitor for reverse SSH tunnels, odd port forwarding, and tools such as Rclone, Chisel, BloodHound, or NetExec on non-admin systems.
• Treat hidden virtualization activity on ordinary endpoints or servers as high priority.

FAQ