Recent reports from Sophos highlight a surge in cybercriminal activities leveraging QEMU, a versatile machine emulator, to conduct ransomware attacks and deploy remote access tools. These threat actors use QEMU to run guest virtual machines on host operating systems, facilitating covert operations.
Increased Abuse of QEMU
QEMU, known for enabling cross-platform emulation, has become a favored tool among hackers. Over recent years, its use in malicious campaigns has been documented extensively. By late 2025, Sophos noted an increase in instances where QEMU was used to establish hidden communication channels and deploy backdoors.
Among these campaigns, one notable attack observed in November 2025, identified as STAC4713, involved the deployment of ransomware linked to PayoutsKing. The attackers utilized QEMU as a reverse SSH backdoor, facilitating payload delivery and credential theft.
Exploitation Techniques and Vulnerabilities
Initially, attackers targeted SonicWall VPNs without multi-factor authentication. They later exploited the CVE-2025-26399 vulnerability in SolarWinds Web Help Desk, allowing remote code execution. By creating scheduled tasks, attackers launched QEMU VMs with elevated privileges to maintain persistence within compromised systems.
Once inside, these cybercriminals used QEMU to create reverse SSH tunnels, granting them direct access to virtual machines. They then executed various activities, such as copying Active Directory databases and conducting network reconnaissance using built-in Windows tools.
Continuing Threats and Defensive Measures
In early 2026, Sophos discovered another campaign, STAC3725, where attackers exploited the CitrixBleed2 vulnerability, CVE-2025-5777, to gain initial access. A malicious ScreenConnect client was used to establish persistence within the compromised environment.
Post-exploitation, attackers installed remote access tools to retrieve QEMU and executed attacks within virtual environments. Activities included credential harvesting, Active Directory reconnaissance, and staging payloads for exfiltration.
Sophos suggests organizations monitor for unauthorized QEMU installations and look for rogue scheduled tasks and unusual network behaviors. Identifying these indicators can help uncover potential compromises and protect against future threats.
Staying vigilant and implementing robust security measures is crucial as cybercriminals continue to evolve their techniques, leveraging tools like QEMU to bypass defenses and infiltrate systems.
