Threat Actors Weaponize QEMU as Covert Backdoor for Ransomware and Credential Theft
Cybercriminals are increasingly abusing QEMU, a legitimate open-source virtualization tool, to bypass endpoint security and deploy ransomware or steal credentials undetected. By running malicious operations inside hidden virtual machines (VMs), attackers exploit a critical blind spot security tools on the host system cannot inspect activity within the VM, leaving minimal forensic traces.
Sophos researchers have identified two active campaigns leveraging this technique since late 2025:
-
STAC4713 (November 2025) – Linked to the PayoutsKing ransomware group (GOLD ENCOUNTER), which operates independently (not as a ransomware-as-a-service). The group targets VMware and ESXi hypervisors, using QEMU to execute attacks. The infection chain begins with a scheduled task ("TPMProfiler") running QEMU under the SYSTEM account, booting from a disguised virtual disk (initially vault.db, later bisrv.dll). The VM establishes a reverse SSH tunnel via custom ports (32567, 22022) to port 22, creating a persistent backdoor. Tools inside the VM include AdaptixC2, Linker2, and a WireGuard obfuscator (wg-obfuscator).
-
STAC3725 (February 2026) – Exploits the CitrixBleed2 vulnerability (CVE-2025-5777) for initial access, then deploys a malicious ScreenConnect client for persistence. Attackers manually compile a toolkit inside the QEMU VM, including Impacket, KrbRelayX, BloodHound.py, NetExec, and Metasploit, to harvest credentials, enumerate Active Directory, and stage payloads via FTP.
Both campaigns demonstrate a growing trend of virtualization-based evasion, where trusted tools like QEMU are repurposed to conceal malicious activity. The technique’s stealth and lack of detectable artifacts make it particularly challenging for defenders to identify and mitigate in real time.
Source: https://cybersecuritynews.com/attackers-turn-qemu-into-a-stealth-backdoor/
Citrix cybersecurity rating report: https://www.rankiteo.com/company/citrix
VMware cybersecurity rating report: https://www.rankiteo.com/company/vmware
"id": "CITVMW1776702564",
"linkid": "citrix, vmware",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'attack_vector': ['virtualization-based evasion',
'scheduled task (TPMProfiler)',
'CitrixBleed2 vulnerability (CVE-2025-5777)',
'malicious ScreenConnect client'],
'data_breach': {'data_encryption': 'yes (ransomware)',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['credentials',
'Active Directory data']},
'description': 'Cybercriminals are increasingly abusing QEMU, a legitimate '
'open-source virtualization tool, to bypass endpoint security '
'and deploy ransomware or steal credentials undetected. By '
'running malicious operations inside hidden virtual machines '
'(VMs), attackers exploit a critical blind spot where security '
'tools on the host system cannot inspect activity within the '
'VM, leaving minimal forensic traces.',
'impact': {'data_compromised': ['credentials',
'Active Directory enumeration data'],
'identity_theft_risk': 'high',
'systems_affected': ['VMware and ESXi hypervisors',
'Windows systems with QEMU']},
'initial_access_broker': {'backdoors_established': ['reverse SSH tunnel',
'malicious ScreenConnect '
'client'],
'entry_point': ['scheduled task (TPMProfiler)',
'CitrixBleed2 vulnerability '
'(CVE-2025-5777)']},
'motivation': ['financial gain', 'credential harvesting'],
'post_incident_analysis': {'root_causes': ['abuse of legitimate '
'virtualization tools (QEMU)',
'lack of visibility into VM '
'activity']},
'ransomware': {'data_encryption': 'yes', 'ransomware_strain': 'PayoutsKing'},
'references': [{'source': 'Sophos researchers'}],
'threat_actor': ['STAC4713 (GOLD ENCOUNTER)', 'STAC3725'],
'title': 'Threat Actors Weaponize QEMU as Covert Backdoor for Ransomware and '
'Credential Theft',
'type': ['ransomware', 'credential theft'],
'vulnerability_exploited': ['CVE-2025-5777']}