Sophos said hackers are increasingly using QEMU, a free tool that runs virtual computers, to hide cyberattacks and deliver ransomware without being detected.
Security analysts found that attackers run their malicious tools inside a virtual machine (VM) created by QEMU. Because this VM is isolated, most antivirus and endpoint security tools cannot see what is happening inside it. This allows hackers to steal data, move across networks, and deploy ransomware while leaving little trace.
The tactic is not new, but activity is rising. Reports from Mandiant in 2020 and Kaspersky in 2024 already showed QEMU being used for hidden access and network tunneling. In May 2025, Sophos linked it to QDoor malware and 3AM ransomware. Since late 2025, researchers have tracked two active campaigns, named STAC4713 and STAC3725.
In the STAC4713 campaign, first seen in November 2025, hackers used QEMU to secretly access infected systems and steal login credentials. They created a fake system task called “TPMProfiler” to quietly run a hidden virtual machine. This setup also opened secret connections using ports 32567 and 22022, which redirected to SSH access.
Inside the hidden VM, attackers installed tools such as file transfer apps and network scanners. They also copied sensitive files, including Active Directory data, using built-in Windows tools like Notepad and Paint to avoid suspicion.
Initial access varied. Some victims were exposed through VPNs without multi-factor authentication, while others were hit through a known bug in SolarWinds Web Help Desk (CVE-2025-26399).
Sophos linked this campaign to PayoutsKing ransomware, believed to be run by a group called GOLD ENCOUNTER. The group focuses on virtual environments like VMware and ESXi and is known for stealing data before encrypting systems.
By early 2026, the group shifted tactics. Instead of QEMU, attackers used phishing emails and fake IT support messages via Microsoft Teams to trick users into installing remote access tools.
The second campaign, STAC3725, appeared in February 2026 and used a Citrix vulnerability (CVE-2025-5777). Attackers installed remote access software and then deployed QEMU to build their attack tools directly inside the victim’s system.
This campaign included advanced tools for password cracking, network mapping, and data theft. Hackers also disabled security protections and created new admin accounts to maintain access.
Sophos warned that using legitimate tools like QEMU makes attacks harder to detect. “A hidden VM can give attackers long-term access to a network, allowing them to steal data and deploy malware without leaving evidence on the host system,” analysts said.
To reduce risk, organizations should check for unknown QEMU installations, suspicious scheduled tasks, and unusual network activity such as hidden SSH connections. Monitoring strange file types like .qcow2 or disguised files such as .dll and .db can also help spot attacks early.