QEMU abused to evade detection and enable ransomware delivery
Threat actors are actively abusing the QEMU hardware emulator to create hidden virtual machines on compromised hosts, effectively shielding their attack toolkits from endpoint detection and response (EDR) solutions. Recent campaigns, including those linked to the PayoutsKing ransomware group, leverage this technique alongside vulnerability exploitation and legitimate remote access tools to establish persistence, harvest credentials, and exfiltrate data.
Authors: Morgan Demboski
Source:
Sophos
- domainvtps[[.]]usMalicious ScreenConnect relay server associated with STAC3725
- sha25661c14c01460810f6f5f760daf8edbda82eea908b1a95052f8e0f9c4162c2900cQEMU malicious disk image containing attacker tools (bisrv.dll) associated with STAC4713
- sha2567ae413b76424508055154ee262c7567705dc1ac00607f5ac2e43d032221b34b3AdaptixC2 agent associated with STAC4713
- sha256c6b848c6a61685724fa9e2b3f6e3a118323ee0c165d1aa8c8a574205a4c4be59QEMU malicious disk image containing attacker tools (vault.db) associated with STAC4713
Key Takeaways
- Threat actors are increasingly abusing QEMU to run malicious tools within hidden VMs, effectively bypassing host-based endpoint security controls.
- Campaign STAC4713 uses QEMU as a reverse SSH backdoor to deliver tools and harvest credentials, and is linked to PayoutsKing ransomware.
- Campaign STAC3725 exploits CitrixBleed2 to deploy a malicious ScreenConnect client and a QEMU VM for extensive network enumeration and credential theft.
- Attackers are disguising QEMU virtual disk images with uncommon extensions like .db, .dll, and .qcow2.
- Vulnerable drivers (BYOVD) and native tools (vssuirun.exe, print) are being abused to disable defenses and dump Active Directory databases.
Affected Systems
- Windows
- Active Directory
- SonicWall VPNs
- SolarWinds Web Help Desk
- Citrix NetScaler
Vulnerabilities (CVEs)
- CVE-2025-26399
- CVE-2025-7775
Attack Chain
Attackers gain initial access by exploiting edge device vulnerabilities (CVE-2025-26399, CVE-2025-7775) or exposed VPNs. They establish persistence using scheduled tasks or malicious ScreenConnect clients, subsequently deploying a QEMU virtual machine disguised as a database or DLL file. Inside this hidden VM, they run an Alpine Linux environment loaded with attack tools (AdaptixC2, Impacket, BloodHound) to perform network reconnaissance, dump credentials via VSS, and exfiltrate data. Finally, the access is either monetized directly via PayoutsKing ransomware deployment or sold to other threat actors.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Sophos
Sophos provides proprietary detection names (e.g., win-eva-prc-susp-qemu-1, WIN-DET-CREDS-NTDS-DUMP-FILE-1[2]) for identifying QEMU usage, credential dumping, and AdaptixC2.
Detection Engineering Assessment
EDR Visibility: Low — Malicious activity occurs inside the QEMU virtual machine, which is opaque to host-based EDR agents. Visibility is limited to the initial launch of the VM and host-level file/network artifacts. Network Visibility: Medium — Network traffic originates from the host, allowing detection of reverse SSH tunnels on non-standard ports and connections to known C2 IPs, though the traffic itself is encrypted. Detection Difficulty: Hard — The use of legitimate hypervisors (QEMU) and remote access tools (ScreenConnect) blends in with administrative activity, and the core malicious behavior is hidden inside the VM.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Network Connections (Sysmon 3)
- Scheduled Task Creation (Event ID 4698)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for qemu-system-x86_64.exe executing with unusual command-line arguments pointing to non-standard disk image extensions (.db, .dll). | Process Creation | Defense Evasion | Low |
| Identify scheduled tasks created with names like 'TPMProfiler' that execute binaries out of unusual directories. | Scheduled Task Creation | Persistence | Low |
| Monitor for the print command being used in conjunction with vssuirun.exe or targeting sensitive files like NTDS.dit, SAM, or SYSTEM hives. | Process Creation | Credential Access | Low |
| Detect outbound network connections over port 22 (SSH) originating from unexpected processes or non-standard local ports (e.g., 32567, 22022). | Network Connections | Command and Control | Medium |
| Look for ADNotificationManager.exe executing from non-standard directories, indicating potential DLL sideloading of vcruntime140_1.dll. | Process Creation | Defense Evasion | Low |
Control Gaps
- Host-based EDR introspection into virtualized environments
- MFA on legacy VPNs
Key Behavioral Indicators
- qemu-system-x86_64.exe running under SYSTEM
- vssuirun.exe execution followed by print command
- ScreenConnect client creating .zip files in Documents folder
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Block known C2 IP addresses and domains at the perimeter.
- Search for and isolate hosts running unauthorized instances of QEMU or ScreenConnect.
- Review scheduled tasks for 'TPMProfiler' or tasks launching QEMU.
Infrastructure Hardening
- Enforce MFA on all external-facing VPNs and remote access portals.
- Patch edge devices against known vulnerabilities (CVE-2025-26399, CVE-2025-7775).
- Restrict outbound SSH traffic to authorized jump hosts only.
User Protection
- Implement application control to block unauthorized execution of hypervisors like QEMU.
- Deploy EDR in block mode for known vulnerable drivers (BYOVD).
Security Awareness
- Train IT staff to recognize social engineering attempts impersonating IT support via Microsoft Teams.
- Educate users on the risks of downloading unsolicited remote assistance tools like QuickAssist.
MITRE ATT&CK Mapping
- T1564.006 - Hide Artifacts: Run Virtual Instance
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1003.003 - OS Credential Dumping: NTDS
- T1572 - Protocol Tunneling
- T1190 - Exploit Public-Facing Application
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1068 - Exploitation for Privilege Escalation
Additional IOCs
- Ips:
194[.]110[.]172[.]152- Suspected C2 server; destination of an SSH reverse tunnel associated with STAC471398[.]81[.]138[.]214- Suspected C2 server; destination of SSH reverse tunnel established by vault.db file associated with STAC4713158[.]158[.]0[.]165- Suspected C2 server; destination of SSH reverse tunnel established by vault.db file associated with STAC4713
- File Hashes:
25e4d0eacff44f67a0a9d13970656cf76e5fd78c(SHA1) - AdaptixC2 agent associated with STAC4713f7a11aeaa4f0c748961bbebb2f9e12b6(MD5) - AdaptixC2 agent associated with STAC4713f3194018d60645e43afabac33ceb4e852f95241b410cd726b1c40e3021589937(SHA256) - AdaptixC2 agent associated with STAC47136c09b0d102361888daa7fa4f191f603a19af47cb(SHA1) - AdaptixC2 agent associated with STAC4713b752ebfc1004f2c717609145e28243f3(MD5) - AdaptixC2 agent associated with STAC471366dc383e9e0852523fe50def0851b9268865f779(SHA1) - QEMU malicious disk image containing attacker tools (vault.db) associated with STAC4713a65f0144101d93656c5f9ad445b3993336e1f295a838351aeca6332c0949b463(SHA256) - Legitimate QEMU executable (qemu-system-x86_64.exe) associated with STAC4713 and STAC3725903edad58d54f056bd94c8165cc20e105b054fa8(SHA1) - Legitimate QEMU executable (qemu-system-x86_64.exe) associated with STAC4713 and STAC3725b186baf2653c6c874e7b946647b048cc(MD5) - Legitimate QEMU executable (qemu-system-x86_64.exe) associated with STAC4713 and STAC37253a33b5bceb1eba4cc749534b03dd245f965d8f200aa02392baad78f5021a20ff(SHA256) - Custom WireGuard traffic proxy binary (wg-obfuscator) associated with STAC47138c8e75dc4b4e1f201b56133a00fa9d1d711ccb50(SHA1) - Custom WireGuard traffic proxy binary (wg-obfuscator) associated with STAC47136f55743091410dad6cdb0b7e474f03e7(MD5) - Custom WireGuard traffic proxy binary (wg-obfuscator) associated with STAC4713
- Registry Keys:
WDigest- Registry key added by attackers to store credentials in plaintext
- File Paths:
C:\Users\<username>\Documents\ScreenConnect\Files\qemu_custom.zip- ZIP archive containing QEMU executable and disk imageqemu-system-x86_64.exe- Legitimate QEMU executable abused to run hidden VMsvault.db- Disguised QEMU virtual hard disk imagebisrv.dll- Disguised QEMU virtual hard disk imagecustom.qcow2- QEMU virtual disk image containing Alpine Linuxvcruntime140_1.dll- Havoc C2 payload sideloaded via ADNotificationManager.exeK7RKScan_1516.sys- Vulnerable kernel driver installed by attackersvssuirun.exe- Volume Shadow Copy Service UI abused to create snapshotsADNotificationManager.exe- Legitimate binary abused for DLL sideloading
- Command Lines:
- Purpose: Launch QEMU VM via scheduled task | Tools:
schtasks,qemu-system-x86_64.exe| Stage: Execution/Persistence |qemu-system-x86_64.exe - Purpose: Copy Active Directory database and registry hives from VSS snapshot | Tools:
print,vssuirun.exe| Stage: Credential Access |print
- Purpose: Launch QEMU VM via scheduled task | Tools: