Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

Attackers abuse QEMU to hide malware in virtual machines, bypass detection, steal data, and deploy ransomware without leaving any trace.

Sophos researchers report a rise in attackers abusing QEMU, an open-source emulator, to hide malicious activity inside virtual machines. By running malware in a VM, attackers avoid endpoint security controls and leave minimal traces on the host system. This approach allows them to maintain long-term access, steal credentials, exfiltrate data, and eventually deploy ransomware such as PayoutsKing.

The technique is not new but is becoming more frequent. Over the years, threat actors have used QEMU for different purposes, including hosting attack tools, creating covert tunnels to command-and-control infrastructure, and deploying backdoors before launching ransomware. Attackers favor QEMU and similar platforms like Hyper-V or VMware because they provide a stealthy environment that makes detection and forensic analysis much harder, giving adversaries more time to operate undetected.

“The abuse of QEMU is a recurring technique that has been used by threat actors for many years” reads the report published by Sophos. “However, Sophos analysts have observed an uptick in cases involving QEMU for defense evasion, with two distinct campaigns identified since late 2025: STAC4713 and STAC3725.”

STAC4713, first seen in late 2025, is a financially driven campaign tied to PayoutsKing ransomware. Attackers rely on QEMU virtual machines to conceal activity and maintain hidden access inside compromised networks.

Attackers deploy QEMU by creating a scheduled task (“TPMProfiler”) that runs a hidden VM with SYSTEM privileges, using disk images disguised as legitimate files like databases or DLLs. They enable persistence through port forwarding and set up reverse SSH tunnels to maintain covert remote access, bypassing detection. Inside the VM, they run a lightweight Alpine Linux environment with tools for tunneling, obfuscation, and data transfer, enabling stealthy operations within the compromised system.

They also use legitimate system tools to extract credentials, copy Active Directory databases, and explore network shares, blending malicious actions with normal activity.

“Initial access methods varied across intrusions. Older incidents leveraged exposed SonicWall VPNs that did not have multi-factor authentication (MFA) enabled, while a January 2026 incident exploited a SolarWinds Web Help Desk vulnerability (CVE-2025-26399).” continues the report. “In February, Microsoft and Huntress reported similar observations of this vulnerability leading to QEMU deployment.”

The STAC4713 campaign is closely linked to data theft and the deployment of PayoutsKing ransomware, attributed to the GOLD ENCOUNTER group. Active since mid-2025, the group targets virtualized environments like VMware and ESXi and operates independently, not as a ransomware-as-a-service model.

From early 2026, attackers shifted tactics, moving away from QEMU-based access. They began exploiting exposed VPNs and using social engineering, such as phishing emails and fake IT support via Microsoft Teams, to trick users into installing remote tools. They also abused legitimate binaries to sideload malware and used tools like Rclone to exfiltrate data to remote servers, showing a flexible and evolving attack strategy.

“It is highly likely that the STAC4713 campaign is linked to data theft and PayoutsKing ransomware deployment. Counter Threat Unit™ (CTU) researchers attribute the PayoutsKing ransomware and extortion operation, which emerged in mid-2025, to the GOLD ENCOUNTER threat group.” states Sophos. “Sophos analysis indicates that the group focuses on hypervisors and has encryptors targeting both VMware and ESXi environments. PayoutsKing operators have explicitly stated that they do not operate under a ransomware-as-a-service (RaaS) model or work with affiliates, suggesting that tactical differences across these observed incidents are due to deliberate attacker choices rather than separate threat actors. “

Another campaign analyzed by Sophos is tracked as STAC3725. First seen in early 2026, the STAC3725 campaign exploits the CitrixBleed2 flaw to gain access, then installs a malicious ScreenConnect client for persistence and control. Attackers create a new admin account, deploy remote access software, and launch a QEMU virtual machine to run tools for reconnaissance and credential theft.

Inside the VM, they manually build a toolkit including Impacket, BloodHound, Kerbrute, and Metasploit to map the network and extract sensitive data. They also weaken defenses by modifying registry settings, disabling protections, and installing vulnerable drivers.

Post-compromise activity varies, suggesting access is sometimes sold to other actors. In some cases, attackers deploy additional management tools for persistence, while in others they use encrypted connections, steal browser data, and disable security controls to maintain long-term access.

The report includes recommendations, protections, and indicators of compromise for these campaigns.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)