What happened
Sophos researchers have documented two active campaigns in which attackers deploy the open-source QEMU emulator to run hidden virtual machines on compromised hosts, using them to conceal malicious activity from endpoint security tools and maintain covert access. The first campaign, tracked as STAC4713 and active since November 2025, has been linked to the Payouts King ransomware operation, attributed by Sophos to a group it calls GOLD ENCOUNTER. Attackers create a scheduled task named “TPMProfiler” that runs a hidden Alpine Linux VM with SYSTEM privileges using disk images disguised as legitimate files such as databases or DLLs. Inside the VM, they manually install and compile a full offensive toolkit including Impacket, BloodHound.py, NetExec, Kerbrute, and Metasploit, then establish reverse SSH tunnels for covert remote access. The campaign has targeted VMware and ESXi environments, with initial access methods including exposed SonicWall VPNs without MFA and exploitation of a SolarWinds Web Help Desk vulnerability. Payouts King operates independently rather than as a ransomware-as-a-service model. The second campaign, STAC3725, active since February 2026, exploits the CitrixBleed 2 vulnerability to gain initial access to NetScaler devices, then installs a malicious ScreenConnect client for persistence before deploying a similar QEMU-based hidden VM. Sophos recommends hunting for unauthorized QEMU installations, suspicious scheduled tasks running with SYSTEM privileges, unusual SSH port forwarding, and outbound SSH tunnels on non-standard ports.
Who is affected
Organizations running VMware, ESXi, Citrix NetScaler, and SolarWinds Web Help Desk environments are directly in scope based on the confirmed initial access vectors. Enterprises with exposed VPN infrastructure lacking MFA are also at elevated risk, as earlier STAC4713 intrusions used unprotected SonicWall devices as entry points.
Why CISOs should care
Running a full attack toolkit inside a hidden VM is an increasingly documented technique for defeating host-based endpoint detection, and this campaign shows it being deployed at scale by an organized threat group. The QEMU approach creates a blind spot that most EDR solutions cannot see into, giving attackers extended dwell time to conduct credential theft, Active Directory reconnaissance, and lateral movement before deploying ransomware. The fact that Payouts King operates without affiliates means the same group is executing consistently across all observed intrusions, making its TTPs reliable indicators for detection.
3 practical actions
- Hunt for unauthorized QEMU installations: Audit endpoints and servers for the presence of QEMU binaries, scheduled tasks running virtualization processes with SYSTEM privileges, and disk image files disguised as databases or DLLs that could indicate a hidden VM deployment.
- Monitor for anomalous SSH tunneling: Inspect network traffic for outbound SSH connections on non-standard ports and reverse tunnel activity originating from internal systems, particularly from hosts running virtualization software or recently compromised VPN appliances.
- Patch CitrixBleed 2 and audit VPN MFA coverage: Confirm that all NetScaler devices are patched against the CitrixBleed 2 vulnerability and review VPN infrastructure to ensure MFA is enforced across all remote access entry points, closing the two primary initial access vectors documented in these campaigns.
For more news about ransomware incidents disrupting operations and exposing sensitive data, click Ransomware to read more.
