Ransomware Uses QEMU VMs to Evade Security Detection

A sophisticated ransomware campaign is now leveraging a legitimate virtualization tool to create hidden enclaves for launching attacks. The Payouts King ransomware operation has been documented using the QEMU emulator as a covert backdoor, establishing reverse SSH tunnels through hidden virtual machines to evade endpoint detection. Because host-based security software cannot scan inside these isolated environments, attackers gain a powerful, stealthy platform for executing malicious payloads and maintaining persistent remote access.

This tactic is not entirely new. The open-source QEMU virtualization tool has been weaponized in previous campaigns by groups like the 3AM ransomware operation, the LoudMiner cryptominer, and the CRON#TRAP phishing actors. Recent analysis by Sophos researchers details two distinct campaigns, tracked as STAC4713 and STAC3725, where threat actors deployed QEMU to harvest domain credentials and establish footholds.

The STAC4713 campaign, first seen in November 2025, is linked to the Payouts King ransomware and a group Sophos identifies as GOLD ENCOUNTER. This group has a history of targeting hypervisors and VMware encryptors. In these attacks, a scheduled task named ‘TPMProfiler’ launches a hidden QEMU virtual machine with SYSTEM privileges. The VM uses disk files disguised as databases and DLLs, with port forwarding configured to create a reverse SSH tunnel for covert access. The virtual machine runs a lightweight Alpine Linux system packed with attacker tools like AdaptixC2, Chisel, and Rclone.

Initial access for earlier STAC4713 incidents came through exposed SonicWall VPNs, while more recent attacks have exploited the SolarWinds Web Help Desk vulnerability, CVE-2025-26399. After breaching a network, the actors used Volume Shadow Copy tools to create shadow copies, then copied critical Active Directory files like the NTDS.dit database for credential harvesting. The group has since shifted to other initial access methods, including exploiting an exposed Cisco SSL VPN in February and, in March, posing as IT support in Microsoft Teams chats to trick users into installing malicious Quick Assist software.

“In both instances, the threat actors used the legitimate ADNotificationManager.exe binary to sideload a Havoc C2 payload and then leveraged Rclone to exfiltrate data to a remote SFTP location,” Sophos reported. Separate analysis from Zscaler this week suggests Payouts King is likely operated by former BlackBasta affiliates, given its use of similar techniques like spam bombing and Microsoft Teams phishing. The ransomware itself employs heavy obfuscation, terminates security tools, and establishes persistence via scheduled tasks. Its encryption scheme uses AES-256 with RSA-4096 keys and employs intermittent encryption on larger files, directing victims to dark web leak sites via ransom notes.

The second campaign, STAC3725, emerged in February and leverages the CitrixBleed 2 vulnerability, CVE-2025-5777, to compromise NetScaler devices. After gaining access, attackers deploy a ZIP archive that installs a service named ‘AppMgmt,’ creates a hidden local administrator account, and installs a ScreenConnect client for persistent remote control. This client connects to an attacker-controlled relay, then downloads and executes a QEMU package to launch another hidden Alpine Linux VM.

Unlike the pre-packaged toolkit in the first campaign, these attackers manually install and compile their tools inside the VM. This arsenal includes Impacket, KrbRelayx, BloodHound.py, and Metasploit, which are used for credential harvesting, Kerberos enumeration, Active Directory reconnaissance, and staging data for exfiltration via FTP.

To defend against these evolving threats, organizations are advised to monitor for unauthorized QEMU installations, scrutinize scheduled tasks running with elevated SYSTEM privileges, and investigate unusual SSH port forwarding or outbound SSH connections on non-standard ports. The abuse of legitimate virtualization software underscores a growing trend where attackers hide in plain sight, using trusted tools to bypass traditional security controls.