CYBERSECURITY | QEMU abuse enables stealth ransomware attacks, Sophos warns
Sophos analysts reported two active campaigns—tracked as STAC4713 and STAC3725—observed since late 2025, both leveraging QEMU for defense evasion and post-compromise operations.
Cybersecurity researchers have identified a surge in attacks using virtual machine technology to evade detection and deploy ransomware, according to new findings released by Sophos.
The company said threat actors are increasingly abusing QEMU, an open-source machine emulator, to conceal malicious activity inside hidden virtual machines (VMs). The tactic allows attackers to maintain long-term access to compromised systems, harvest credentials, exfiltrate data, and ultimately deploy ransomware while avoiding traditional endpoint security controls.
Sophos analysts reported two active campaigns—tracked as STAC4713 and STAC3725—observed since late 2025, both leveraging QEMU for defense evasion and post-compromise operations.
In the STAC4713 campaign, first detected in November 2025, attackers used QEMU to establish covert remote access channels via reverse SSH tunnels. The operation is financially motivated and linked to the deployment of PayoutsKing ransomware. Attackers created scheduled tasks disguised as legitimate system processes to launch hidden virtual machines and maintain persistence. These VMs hosted attacker toolkits used for credential harvesting and lateral movement within networks.
Investigators also observed attackers exploiting vulnerabilities and weak authentication in enterprise systems, including VPN services and web help desk platforms, to gain initial access. In later incidents, tactics shifted to social engineering, with attackers impersonating IT support personnel to trick users into installing remote access tools.
The STAC3725 campaign, first seen in February 2026, exploited a Citrix vulnerability to infiltrate target environments. Attackers deployed a malicious remote access client and used QEMU to run a Linux-based virtual machine containing a full suite of offensive security tools. These tools enabled credential theft, Active Directory reconnaissance, and data exfiltration.
Unlike earlier cases where preconfigured toolkits were deployed, attackers in this campaign built their toolsets directly inside the virtual machine, allowing more flexibility and reducing detection risks.
Sophos said the use of virtualization-based evasion techniques is not new but has intensified, with attackers refining methods to bypass security monitoring. Activity inside a VM leaves minimal forensic traces on the host system, making detection and investigation more difficult.
The researchers linked the STAC4713 campaign to a threat group known as GOLD ENCOUNTER, which emerged in mid-2025 and focuses on targeting virtualized environments, including VMware and ESXi systems. The group operates independently rather than using a ransomware-as-a-service model.
To mitigate risks, Sophos advised organizations to monitor for unauthorized virtualization software, suspicious scheduled tasks running under system privileges, and unusual network activity such as outbound SSH connections from non-standard ports. The company also recommended auditing systems for unexpected virtual disk files and port forwarding configurations.
The findings highlight a growing shift in cyberattacks toward stealth and persistence, as threat actors adopt legitimate tools to blend malicious activity into normal system operations.
————————————————————————-
TEN YEARS OF TECHSABADO!
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
