Sophos Reports Increased Abuse of QEMU for Covert Ransomware and RAT Deployments

Sophos, a prominent cybersecurity firm, has reported a significant uptick in the abuse of QEMU by threat actors to facilitate ransomware and remote access tool (RAT) campaigns. The technique involves utilizing QEMU, an open-source machine emulator and virtualizer, to create hidden virtual machines (VMs) that serve as covert reverse SSH backdoors. This method allows malicious activity to remain largely invisible to endpoint security controls and leaves minimal forensic evidence on the host system.

Sophos analysts have been investigating this trend, noting that attackers are drawn to QEMU and other hypervisor-based virtualization tools like Hyper-V, VirtualBox, and VMware due to the limited visibility security tools have into activity within a VM.

The firm has identified two distinct active campaigns employing QEMU for defense evasion. One campaign, designated STAC4713 and first observed in November 2025, utilizes QEMU to establish reverse SSH tunnels. These tunnels are then used to deliver additional tools, harvest domain credentials, and ultimately deploy the PayoutsKing ransomware. This operation involves port forwarding from non-standard ports to SSH port 22, with the virtual machine running an Alpine Linux image containing utilities such as AdaptixC2, Rclone, and a custom WireGuard obfuscator. Data exfiltration following Active Directory file dumps using native Windows commands has also been observed.

The STAC4713 campaign has been linked to the financially motivated GOLD ENCOUNTER group. Sophos analysis indicates that PayoutsKing operators do not operate under a ransomware-as-a-service (RaaS) model, suggesting that tactical differences across observed incidents are due to deliberate attacker choices.

A second campaign, STAC3725, emerged in February 2026. Initial access in this campaign was gained by exploiting the CitrixBleed2 vulnerability in NetScaler appliances, followed by the installation of a malicious ScreenConnect client for persistence. Attackers then deploy a QEMU virtual machine containing a custom disk image and a range of open-source tools for enumeration and credential theft, including Impacket, BloodHound, and Kerbrute. Subsequent activities have included browser data extraction and the disabling of security features.

The use of hidden VMs enables long-term access, credential harvesting, data exfiltration, and ransomware deployment. Sophos advises organizations to review systems for unauthorized QEMU installations, unexpected scheduled tasks, and unusual SSH tunneling activity. Monitoring for virtual disk files with atypical extensions and outbound connections from virtualization processes can assist in identifying such intrusions.