Threat actors have been abusing QEMU in campaigns leading to the deployment of ransomware and remote access tools, Sophos reports.
A cross-platform open source machine emulator, QEMU allows users to run a guest VM on top of their operating system (VM host).
Over the past years, security researchers documented several malicious campaigns using QEMU to establish covert communication channels and deploy backdoors, and Sophos now says it has observed an uptick in abuse since late 2025.
As part of a campaign first observed in November 2025, tracked as STAC4713 and potentially linked to the PayoutsKing ransomware, threat actors used the machine emulator as a covert reverse SSH backdoor for payload delivery and credential harvesting.
At first, the hackers targeted exposed SonicWall VPNs that lacked MFA for initial access, but later switched to exploiting CVE-2025-26399, a remote code execution (RCE) vulnerability in SolarWinds Web Help Desk.
The attackers created a scheduled task to launch a QEMU VM with System privileges and to establish persistence. Upon launch, the virtual hard disk image creates a reverse SSH tunnel, providing the threat actors with direct access to the VM.
Sophos observed the attackers creating a volume shadow copy snapshot, copying the Active Directory database and the SAM and SYSTEM hives to temporary folders, and performing network share discovery and file access using native Windows tools.
The cybersecurity firm attributes the attacks to Gold Encounter, a closed hacking group operating the PayoutsKing ransomware. The gang is known to target VMware and ESXi environments for encryption.
In February 2026, Sophos observed a second campaign abusing QEMU. Tracked as STAC3725, it has been relying on the exploitation of CVE-2025-5777 (the infamous CitrixBleed2 bug) for initial access and on a malicious ScreenConnect client to achieve persistence.
Following the NetScaler exploitation, the attackers created a start service, installed the remote access tool to retrieve QEMU and a virtual disk image, and manually executed the attack within the VM.
The hackers were observed deploying roughly a dozen tools and libraries, harvesting credentials, enumerating Kerberos usernames, performing Active Directory reconnaissance, staging payloads, and exfiltrating data.
“Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos notes.
Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.
Related: Next.js Creator Vercel Hacked
Related: Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers
Related: Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking Contest
Related: 100 Chrome Extensions Steal User Data, Create Backdoor
