Hackers Exploit QEMU for Cyber Defense Evasion

The attacks, tracked under campaigns such as STAC4713, demonstrate how threat actors are using QEMU to create covert backdoors and maintain long-term access to enterprise environments. In these incidents, attackers deployed QEMU as a reverse SSH tunnel within a virtual machine, enabling them to communicate with compromised systems while bypassing traditional security controls.

Initial access in earlier stages of the campaign was achieved by targeting exposed VPN systems without multi-factor authentication, before shifting to the exploitation of CVE-2025-26399, a remote code execution vulnerability in SolarWinds Web Help Desk. Once inside, attackers established persistence by creating scheduled tasks that launched QEMU virtual machines with elevated system privileges.

These virtual environments allowed attackers to operate discreetly, executing malicious activities without directly interacting with the host system. By leveraging virtual hard disk images, they were able to initiate reverse SSH connections, effectively creating hidden communication channels for data exfiltration and remote control.

The attackers also demonstrated advanced post-exploitation techniques, including credential harvesting and system reconnaissance. By creating volume shadow copies, they accessed sensitive data such as Active Directory databases and system registry files, while using native Windows tools to explore network shares and extract valuable information.

Sophos has linked these activities to Gold Encounter, a closed cybercriminal group associated with the PayoutsKing ransomware. The group has a history of targeting virtualized environments such as VMware and ESXi systems, making QEMU an effective addition to its attack toolkit.

A second campaign, identified as STAC3725 and observed in early 2026, further highlights the evolving threat landscape. In this case, attackers exploited CVE-2025-5777, commonly known as the CitrixBleed2 vulnerability, to gain initial access. They then deployed a malicious ScreenConnect client to maintain persistence and facilitate the delivery of QEMU and associated payloads.

Once established, attackers executed operations within the virtual machine, deploying multiple tools to harvest credentials, enumerate Kerberos accounts, conduct Active Directory reconnaissance, and exfiltrate sensitive data. The use of QEMU allowed them to isolate their activities, making detection significantly more challenging for traditional security solutions.

The variation in post-exploitation activity across incidents suggests that initial access may have been obtained by one group and later sold to other threat actors, indicating the involvement of initial access brokers within the cybercrime ecosystem.

The growing abuse of QEMU underscores a broader shift in cyberattack strategies, where legitimate tools are repurposed for malicious use to evade detection. Organizations are being urged to strengthen monitoring and detection capabilities by identifying unauthorized QEMU installations, suspicious scheduled tasks, unusual port forwarding configurations, and outbound SSH connections.

As threat actors continue to innovate, the line between legitimate system tools and malicious activity is becoming increasingly blurred. The misuse of QEMU highlights the need for organizations to adopt more advanced behavioral detection strategies and maintain continuous visibility across their environments to defend against sophisticated, stealth-driven cyber threats.

Recommended Cyber Technology News :

• Artemis Raises $70 Million to Advance AI-Driven Cyber Defense
• Nexon Joins Microsoft Security Association To Boost Cyber Defense
• Hackers Exploit Logistics Networks to Steal High-Value Cargo

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com