Researchers reported a phishing campaign dubbed CRON#TRAP that delivers ZIP archives containing a malicious .lnk file and a concealed QEMU package to Windows victims. When opened, the shortcut launches PowerShell to unpack hidden files, execute a renamed QEMU binary as fontdiag.exe, and boot a Tiny Core Linux virtual environment stored under %HOME%\datax. The lure also displays a fake server-error image to distract users while the emulated system starts, allowing the attackers to stage malware in a way that can evade traditional Windows-focused antivirus detection.
Inside the QEMU guest, the attackers configured persistence and command-and-control by running crondx, a Go-based ELF binary assessed to be a customized Chisel client hard-coded to connect over WebSockets to 18.208.230[.]174. The Linux environment included prebuilt SSH settings, modified scripts, and aliases such as get-host-shell and get-host-user to interact with the underlying Windows host, enabling covert access, tunneling, exfiltration, and delivery of additional payloads. Securonix said the activity was not confidently attributed, but telemetry pointed mainly to the US and Europe and highlighted the campaign as an unusual use of QEMU for malware staging beyond earlier cryptomining-related abuse.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Sophos disclosed two active campaigns, STAC4713 and STAC3725, in which attackers used hidden QEMU virtual machines on Windows to evade endpoint defenses, steal credentials, and conduct reconnaissance. The report linked STAC4713 to PayoutsKing ransomware and said initial access came via exposed VPNs without MFA, SolarWinds Web Help Desk CVE-2025-26399, and CitrixBleed2 exploitation.
Securonix Threat Research published findings on the CRON#TRAP campaign, describing the use of QEMU-emulated Linux environments as a malware staging method and noting likely targeting in the US and Europe. The report said attribution remained unconfirmed and highlighted the novelty of this staging approach outside earlier cryptomining-related abuse.
Within the emulated Tiny Core Linux environment, the attackers established persistence and command-and-control by running a Go-based ELF binary named crondx, assessed as a customized Chisel client. It used encrypted WebSocket communications to connect to C2 infrastructure and enabled host interaction, exfiltration, and additional payload delivery.
In November 2024, attackers conducted a phishing campaign delivering ZIP archives with a malicious .lnk file that unpacked a concealed QEMU installation and booted a Tiny Core Linux environment on victim Windows systems. The technique used renamed legitimate software such as fontdiag.exe and hid artifacts in user directories to evade detection.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
techradar.com
Open sourcesecuronix.com
Open sourcecontagiodump.blogspot.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.