Attackers Use QEMU Hidden VMs to Steal Data and Deliver PayoutsKing Ransomware
Sophos reported that threat actors are increasingly abusing QEMU to launch hidden virtual machines on compromised systems, allowing credential theft, reconnaissance, covert access, data exfiltration, and ransomware staging to occur outside the visibility of many endpoint security tools. The activity was tied to two campaigns, STAC4713 and STAC3725, in which attackers deployed lightweight Alpine Linux VMs that left minimal forensic evidence on the host while supporting tools such as AdaptixC2, Chisel, Rclone, wg-obfuscator, Impacket, BloodHound.py, Kerbrute, and Metasploit.
STAC4713 was linked to the GOLD ENCOUNTER / PayoutsKing ransomware operation and used scheduled tasks, reverse SSH tunnels, and QEMU-hosted tooling after gaining access through exposed SonicWall VPNs without MFA and exploitation of SolarWinds Web Help Desk CVE-2025-26399; Sophos said the group later also used phishing and fake Microsoft Teams IT support, and in some intrusions shifted from QEMU to Havoc C2 sideloading via ADNotificationManager.exe with exfiltration through Rclone. In STAC3725, attackers exploited CitrixBleed2 (CVE-2025-5777), installed a malicious ScreenConnect client, created a rogue local administrator account, and used a QEMU VM to manually assemble an attack toolkit, underscoring a broader trend of adversaries using virtualization platforms including QEMU, Hyper-V, and VMware to evade detection and complicate incident response.
Timeline
Apr 16, 2026
Sophos publishes report on QEMU abuse for evasion and ransomware delivery
On 2026-04-16, Sophos publicly reported the growing abuse of QEMU by threat actors to conceal malicious operations, evade endpoint security tools, and enable ransomware delivery. The report detailed the STAC4713 and STAC3725 campaigns and provided detection guidance focused on unauthorized QEMU installations, suspicious SYSTEM-level scheduled tasks, SSH tunneling, and disguised virtual disk images.
Jan 1, 2026
GOLD ENCOUNTER shifts some PayoutsKing intrusions away from QEMU
In early 2026, Sophos observed a tactical change in some GOLD ENCOUNTER/PayoutsKing intrusions, with attackers moving away from QEMU-based virtualization in certain cases. Instead, they used Havoc C2 sideloading via ADNotificationManager.exe and exfiltrated data with Rclone.
Jan 1, 2026
STAC3725 exploits CitrixBleed2 and deploys QEMU-hosted attack toolkit
In early 2026, the STAC3725 campaign exploited CitrixBleed2 (CVE-2025-5777), installed a malicious ScreenConnect client, created a rogue local administrator account, and used a QEMU virtual machine to manually assemble an attack toolkit. The VM hosted tools such as Impacket, BloodHound.py, Kerbrute, and Metasploit for follow-on intrusion activity.
Dec 1, 2025
STAC4713 uses QEMU in intrusions tied to PayoutsKing ransomware
In late 2025 and into early 2026, the STAC4713 campaign used Alpine Linux QEMU virtual machines, scheduled tasks, reverse SSH tunnels, and tools including AdaptixC2, Chisel, Rclone, and wg-obfuscator. Initial access in reported cases came through exposed VPNs and exploitation of SolarWinds Web Help Desk CVE-2025-26399, and Sophos linked the activity to the financially motivated PayoutsKing/GOLD ENCOUNTER operation.
Dec 1, 2025
Threat actors begin abusing QEMU in stealthy post-compromise campaigns
Sophos observed threat actors using QEMU-based virtual machines on compromised hosts starting in late 2025 to hide tooling and activity from endpoint defenses while minimizing forensic traces on the host system. The technique was used to support credential theft, reconnaissance, persistence, covert access, and data exfiltration.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
1 more from sources like splunk research
Related Stories
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
1 months ago
Attackers Abuse RMM Tools and Bomgar RCE to Breach MSPs and Deploy Ransomware
Threat actors increasingly abused legitimate remote monitoring and management (RMM) software for initial access, persistence, credential theft, and defense evasion, with Huntress reporting that RMM abuse accounted for 24% of incidents it observed and surged 277% over the prior year. Campaigns used signed tools including **Action1**, **ScreenConnect**, **HeartbeatRM**, **AnyDesk**, **Atera**, and **SimpleHelp**, often chaining multiple products together to fragment telemetry and complicate containment. Delivery methods included phishing lures themed around the Social Security Administration and invitations, GitHub-hosted payloads, Cloudflare-protected sites, Windows-only filtering, and mobile-only credential harvesting pages; Huntress also observed low-maturity operators using LLM-generated scripts, VPS infrastructure, proxy tooling, combo lists, and utilities designed to hide RMM software from uninstall lists. Huntress also linked a sustained rise in compromises involving **Bomgar** instances to exploitation of **`CVE-2026-1731`**, a critical remote code execution flaw in BeyondTrust products, with attackers targeting outdated deployments to access victim networks and pivot into downstream customer environments. Reported incidents hit MSPs and software providers, including a ransomware attack affecting three downstream companies and another MSP breach that forced the isolation of 78 businesses while attackers moved into four customer environments. In affected networks, intruders created privileged accounts, added users to **Domain Admins**, ran reconnaissance with **NetScan** and **`nltest.exe`**, deployed suspicious drivers such as **PoisonX.sys** and **HRSword.exe**, and in several cases launched **LockBit** or a likely leaked-builder variant, underscoring the need to patch BeyondTrust systems, tightly govern trial and remote-access tooling, and monitor for unauthorized RMM activity.
6 days ago
Ransomware operators abuse legitimate remote administration tools and exploit SmarterMail flaws for initial access and persistence
**Ransomware activity is increasingly blending into normal IT operations** by combining exploitation of internet-facing software with the use of legitimate remote access and monitoring tools. Huntress reported multiple intrusions tied to the **Crazy** ransomware gang where attackers deployed *Net Monitor for Employees Professional* and the *SimpleHelp* remote support client to maintain persistence, evade detection, and stage for ransomware deployment. The actors installed the monitoring agent via `msiexec.exe` directly from the vendor site, then used it for interactive control (desktop viewing, file transfer, command execution); they also added redundant access by installing SimpleHelp via PowerShell and disguising binaries with benign-looking names (e.g., `vshost.exe`) and paths such as `C:\ProgramData\OneDriveSvc\OneDriveSvc.exe`. In parallel, ransomware groups have been observed **actively exploiting recently patched SmarterTools SmarterMail vulnerabilities** that enable unauthenticated compromise of mail servers. SC Media reported that CISA added **CVE-2026-24423** to the KEV catalog after it was linked to ransomware campaigns; the flaw enables unauthenticated RCE via SmarterMail’s `ConnectToHub` API by delivering a malicious OS command from a remote server. A second issue, **CVE-2026-23760**, allows authentication bypass through the password reset API (`force-reset-password`) by not validating the old password; ReliaQuest attributed active exploitation of this weakness to a China-based actor tracked as **Storm-2603**, which reportedly chained the bypass with SmarterMail’s *Volume Mount* feature to reach RCE, activity assessed as staging consistent with **Warlock** ransomware operations (even when ransomware was not yet deployed).
1 months ago