Growing Misuse of QEMU by Cyber Threat Actors
Security researchers have reported an increase in the exploitation of QEMU, an open-source machine emulator, by cybercriminals in recent years. This tool, designed to run guest virtual machines (VMs) on a host operating system, has become a tool for deploying ransomware and remote access backdoors. Sophos has observed an uptick in QEMU abuse since late 2025, particularly in campaigns linked to advanced persistent threat groups.
One significant example is the STAC4713 campaign, where attackers leveraged QEMU as a covert reverse SSH backdoor. This allowed them to deliver malicious payloads and harvest credentials. By targeting exposed SonicWall VPNs and exploiting a remote code execution vulnerability in SolarWinds Web Help Desk, the attackers gained initial access and established persistence through scheduled tasks running a QEMU VM with elevated privileges.
Techniques Used to Exploit Virtual Machines
In addition to deploying reverse SSH tunnels, attackers in these campaigns used QEMU to create virtual hard disk images that facilitated unauthorized access. Sophos documented methods such as creating volume shadow copy snapshots and copying sensitive system files, including Active Directory databases and Security Account Manager (SAM) hives. These actions were performed using built-in Windows tools, demonstrating the attackers ability to operate with minimal detection.
The campaigns also included reconnaissance activities like network share discovery and file access enumeration. Such techniques enabled the cybercriminals to identify key systems and data repositories for further exploitation. The use of QEMU allowed them to operate within an isolated VM environment, complicating detection and remediation efforts for security teams.
Exploitation of Vulnerabilities for Initial Access
Initial access in these campaigns often relied on exploiting known vulnerabilities. For example, CVE-202526399 in SolarWinds software and CVE-20255777, known as the CitrixBleed2 bug, were critical entry points. These exploits provided attackers with a foothold to deploy additional tools and achieve persistence within the targeted environment.
In the STAC3725 campaign, the attackers paired vulnerability exploitation with a malicious ScreenConnect client to maintain access. They manually executed attacks within the QEMU VM and deployed a suite of tools for credential harvesting, Active Directory reconnaissance, and data exfiltration. This illustrates the importance of timely patch management and vulnerability monitoring to reduce exposure.
Link to Ransomware Operations
Both campaigns observed by Sophos are linked to Gold Encounter, a hacking group associated with the PayoutsKing ransomware operation. The group has a history of targeting VMware and ESXi environments for encryption, reflecting their focus on high-value virtualized infrastructure. Their reliance on QEMU demonstrates how cybercriminals are adapting their techniques to exploit the flexibility of VM technologies.
The use of QEMU as a reverse SSH backdoor and its integration with ransomware tools underline the evolving threat landscape. By leveraging virtual machines, attackers can bypass traditional security measures and complicate forensic investigations. This highlights the need for advanced detection mechanisms capable of monitoring VM activity.
Mitigation Strategies for Enterprises
Organizations must take proactive steps to address the rising threat of QEMU exploitation. Implementing multi-factor authentication (MFA) for VPNs and remote access tools can significantly reduce the risk of initial compromise. Additionally, maintaining up-to-date patching for software vulnerabilities like CVE-202526399 and CVE-20255777 is critical.
Security teams should monitor VM activity and create alerts for unusual behavior, such as the creation of volume shadow copies or unauthorized file access. Employing advanced endpoint detection and response (EDR) solutions can help identify and mitigate these threats early. Finally, training employees on recognizing phishing attempts and other social engineering tactics can prevent attackers from gaining an initial foothold.