Kaspersky reported an intrusion at a large enterprise in which attackers repurposed the open-source hypervisor QEMU as a stealthy tunneling tool to move traffic across segmented systems. The operators launched a minimal virtual machine with about 1 MB of RAM, no disk image, and no graphical interface, then used QEMU to create virtual network interfaces and a socket-based network device that forwarded traffic from an internal host to attacker-controlled infrastructure. The tunnel linked a victim system without direct internet access to a pivot host that could reach the internet, and then on to a cloud server hosting a Kali Linux virtual machine.
The activity stood out because defenders more commonly watch for tunneling utilities such as FRP, ngrok, and Cloudflare Tunnel, while QEMU can blend into legitimate virtualization activity and attract less scrutiny. In the same compromise, the attackers also used Angry IP Scanner for internal reconnaissance and mimikatz for credential theft, showing how legitimate administration and offensive tools were combined for lateral movement and persistence. The reporting highlights the need for layered detection across endpoints and networks, including monitoring for unusual QEMU execution, unexpected virtual interfaces, and traffic paths that bridge isolated network segments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Kaspersky publicly documented the unusual use of QEMU as a stealthy network tunneling tool, explaining how attackers launched a minimal VM to establish covert connectivity while blending in with legitimate virtualization activity. The report highlighted the technique as an alternative to more commonly scrutinized tunneling tools such as FRP, ngrok, and Cloudflare Tunnels.
During a cyberattack against a large company, threat actors abused the open-source hypervisor QEMU to create a covert tunnel between an internal host without internet access, a pivot host with internet access, and an attacker-controlled remote server. The intrusion also involved Angry IP Scanner for reconnaissance and mimikatz for credential theft.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.