Attackers are increasingly abusing QEMU virtual machines to hide credential theft and ransomware staging inside “invisible” virtual environments, making detection and forensics significantly harder for defenders.
QEMU is a legitimate open-source emulator and virtualizer that allows running full operating systems as virtual machines on a host.
Threat actors are weaponizing this capability by running their tools entirely inside a guest VM, where most endpoint security agents on the Windows host have little to no visibility.
This approach leaves minimal artifacts on the host. At the same time, the attacker enjoys a persistent, Linux-based foothold for credential dumping, data exfiltration, and ransomware staging.
Recent campaigns by Sophos tracked as STAC4713 and STAC3725 show how QEMU-based VMs are being turned into stealth backdoors to harvest credentials, move laterally, and ultimately deploy PayoutsKing ransomware and other payloads.
This technique is not entirely new: over the last few years, researchers have documented QEMU being used for reverse SSH tunneling and covert network tunnels, allowing attackers to route traffic through virtual interfaces that blend into normal virtualization activity.
What has changed is the operational maturity: the latest campaigns combine hidden VMs, credential theft, and hypervisor-focused ransomware into a repeatable playbook.
STAC4713: QEMU backdoor to PayoutsKing
The STAC4713 campaign, first seen in late 2025, is financially motivated and linked to the PayoutsKing ransomware operation associated with the GOLD ENCOUNTER threat group.
In these intrusions, attackers deploy QEMU as a covert reverse SSH backdoor and then use it to deliver tools and steal domain credentials before encrypting data.
The task configures port forwarding from custom high ports to port 22, and when the VM boots, it uses tools like AdaptixC2 or OpenSSH to establish a reverse SSH tunnel to attacker infrastructure, effectively turning QEMU into a hidden remote access channel.
On compromised Windows systems, the actors create a scheduled task called TPMProfiler that launches a QEMU VM (qemu-system-x86_64.exe) under the SYSTEM account using a disguised virtual disk image, such as a file named vault.db or a fake DLL (bisrv.dll).
Inside the VM, the attackers run a lightweight Alpine Linux image preloaded with utilities for tunneling, obfuscation and data movement, including C2 agents, custom WireGuard obfuscators, BusyBox, Chisel, and Rclone.
From there, they interact with the Windows environment to create shadow copies, copy the Active Directory database and registry hives, and systematically browse network shares, often abusing legitimate tools like Notepad, Paint, Edge, and third-party file explorers to blend in.
STAC3725: Credential theft inside a QEMU VM
STAC3725 campaign, observed since early 2026, uses the CitrixBleed2 vulnerability (CVE-2025-5777) in NetScaler appliances to gain initial access, then deploys a malicious ScreenConnect client for persistence.
From there, the threat actors stage a QEMU-based Alpine Linux VM using a custom disk image and use it as a dedicated attack platform for credential harvesting and Active Directory reconnaissance.
Instead of relying solely on pre-packaged scripts, the attackers manually install and compile a full offensive toolkit inside the VM, including frameworks for Kerberos brute forcing, coercion attacks, BloodHound-based AD mapping, and classic post-exploitation frameworks such as Metasploit.
They pair this with additional host-level actions using ScreenConnect, registry changes to weaken credential protection, forensic tools to tamper with Defender exclusions, and even vulnerable drivers to expand their capabilities.
These campaigns highlight a broader evasion trend where adversaries “bring their own hypervisor” to sidestep host-based detections and run their operations from a concealed VM.
Because security agents typically do not inspect guest file systems or processes, QEMU becomes an ideal container for long-term access, credential theft and ransomware staging.
Defenders should actively hunt for unauthorized QEMU binaries, suspicious scheduled tasks running qemu-system processes as SYSTEM, unusual port forwarding to SSH, and virtual disk images using odd extensions like .db, .dll or .qcow2.
Monitoring for outbound SSH tunnels from non-standard ports, unexpected remote management tools such as rogue ScreenConnect clients, and unexplained hidden VMs can help organizations detect these backdoor environments before they are used for large-scale credential theft and ransomware deployment.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
