Hackers Leverage QEMU for Malicious Defense Evasion Tactics

Post Views: 134

Hackers Abuse QEMU for Defense Evasion

Sophos has reported an increase in the use of QEMU by threat actors to deploy ransomware and remote access tools.

QEMU Overview

QEMU is a cross-platform open-source machine emulator that allows users to run a guest virtual machine (VM) on top of their operating system (OS).

Rise in QEMU Usage

The company has observed an uptick in the use of QEMU since late 2025, primarily in campaigns targeting exposed SonicWall VPNs and exploiting vulnerabilities in software such as SolarWinds Web Help Desk.

According to Sophos, one campaign, tracked as STAC4713, was linked to the PayoutsKing ransomware and utilized QEMU as a covert reverse SSH backdoor for payload delivery and credential harvesting.

The attackers initially targeted exposed SonicWall VPNs lacking multi-factor authentication (MFA), but later shifted to exploiting CVE-2025-26399, a remote code execution vulnerability in SolarWinds Web Help Desk.

Once launched, the virtual hard disk image created a reverse SSH tunnel, granting the attackers direct access to the VM.

The attackers created a scheduled task to launch the QEMU VM with system privileges and established persistence.

They performed network share discovery and file access using native Windows tools, copied the Active Directory database and the SAM and SYSTEM hives to temporary folders, and enumerated Kerberos usernames.

The cybersecurity firm attributed the attacks to Gold Encounter, a known hacking group operating the PayoutsKing ransomware.

Second Campaign Abusing QEMU

In February 2026, Sophos observed a second campaign abusing QEMU, tracked as STAC3725, which relied on the exploitation of CVE-2025-5777 (Citrix Bleed2 bug) for initial access and a malicious ScreenConnect client to achieve persistence.

Following the exploitation, the attackers deployed roughly a dozen tools and libraries, harvested credentials, staged payloads, and exfiltrated data.

Recommendations for Organizations

Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.