QEMU
QEMU is an open-source machine emulator and virtualization tool that attackers have abused as part of intrusion activity to run hidden virtual machines on compromised systems. In the reported campaigns, adversaries used QEMU to execute malicious tooling inside isolated guest environments that were largely invisible to host-based endpoint defenses, enabling stealthy post-compromise operations with minimal evidence on the host.
Sophos documented two campaigns using this technique. In STAC4713, linked to the Payouts King ransomware operation and associated with the GOLD ENCOUNTER threat group, attackers created a scheduled task named TPMProfiler to launch a hidden QEMU virtual machine as SYSTEM. The VM used disguised virtual disk images masquerading as database files and later DLL files, ran Alpine Linux 3.22.0, and contained tools including AdaptixC2, Chisel, BusyBox, and Rclone. The attackers established reverse SSH tunnels and port forwarding for covert remote access, collected domain credentials, used built-in Windows utilities for file access and network discovery, created shadow copies via vssuirun.exe, copied NTDS.dit, SAM, and SYSTEM hives over SMB, and exfiltrated data with Rclone to a remote SFTP location. Initial access observed in this campaign included exposed SonicWall VPNs without MFA, exploitation of SolarWinds Web Help Desk CVE-2025-26399, exposed Cisco SSL VPNs, and Microsoft Teams social engineering that abused Quick Assist. Sophos linked this activity to Payouts King, which appears to target hypervisors and deploy tooling across VMware and ESXi systems; Zscaler assessed Payouts King is likely tied to former BlackBasta affiliates.
In STAC3725, attackers exploited CitrixBleed2 / CVE-2025-5777 against NetScaler ADC and Gateway devices, then installed remote access software including ScreenConnect and deployed QEMU to launch a hidden Alpine Linux VM from a custom.qcow2 disk image. The intrusion also involved a malicious executable that installed a service named AppMgmt and created a local administrator account named CtxAppVCOMService. Inside the VM, the attackers manually installed and compiled post-exploitation tools including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit. Observed activity included credential harvesting, Kerberos username enumeration, Active Directory reconnaissance, and staging data for exfiltration via FTP servers.
Across both campaigns, QEMU was used as an evasion mechanism to bypass endpoint security, facilitate covert persistence and remote access, and support credential theft, reconnaissance, data staging, and exfiltration. High-confidence indicators and behaviors mentioned in the reporting include unauthorized QEMU instances, the TPMProfiler scheduled task, disguised VM disk images, reverse SSH tunnels, unusual SSH port forwarding, outbound SSH tunnels on non-standard ports, the AppMgmt service, the CtxAppVCOMService account, and custom.qcow2 VM disk usage.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In recent incidents, attackers used QEMU, an open-source machine emulator and virtualizer, to run hidden environments where malicious activity remained largely invisible to endpoint defenses and left minimal evidence on the host system.
In recent incidents, attackers used QEMU, an open-source machine emulator and virtualizer, to run hidden environments where malicious activity remained largely invisible to endpoint defenses and left minimal evidence on the host system.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The Payouts King ransomware operation is leveraging the QEMU emulator to create hidden virtual machines and establish reverse SSH backdoors on compromised systems, allowing them to bypass endpoint security measures.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniquesOrganizations should implement robust monitoring for unauthorized QEMU instances, suspicious scheduled tasks, and unusual SSH activity.
In the STAC4713 campaign, attackers created a scheduled task named TPMProfiler to launch a hidden QEMU virtual machine under system-level privileges.
The batch file start.bat accomplishes two tasks... Second, the script executes the QEMU process and command line to start the emulated Linux environment.
and the execution of a QEMU instance to run a virtual hard disk image containing attacker tooling.
Persistence
2 techniquesOrganizations should implement robust monitoring for unauthorized QEMU instances, suspicious scheduled tasks, and unusual SSH activity.
Privilege Escalation
2 techniquesOrganizations should implement robust monitoring for unauthorized QEMU instances, suspicious scheduled tasks, and unusual SSH activity.
Stealth
4 techniquesThe process qemu.exe was renamed to fontdiag.exe by the attacker prior to delivery of the phishing lure.
MITRE ATT&CK Matrix ... Defense Evasion ... T1218: System Binary Proxy Execution
In recent incidents, attackers used QEMU, an open-source machine emulator and virtualizer, to run hidden environments where malicious activity remained largely invisible to endpoint defenses and left minimal evidence on the host system.
attackers deploy a custom-made emulated QEMU Linux box to persist on endpoints... The use of the “-nographic” parameter means that the Linux virtual environment will run silently in the background.
Credential Access
1 techniqueSophos analysts are actively investigating the abuse of QEMU by threat actors who are running hidden VMs to conceal their operations, harvest domain credentials...
Discovery
1 techniqueLateral Movement
1 techniqueThe Payouts King ransomware operation is leveraging the QEMU emulator to create hidden virtual machines and establish reverse SSH backdoors on compromised systems...
Collection
1 technique...subsequently deploying a QEMU VM with manually installed tools for reconnaissance and data staging.
Command and Control
3 techniquesOnce the scheduled task runs, it also sets up port forwarding from custom ports (32567 and 22022) to port 22 for SSH access.
Once launched, the virtual machine established reverse SSH tunnels that created covert remote access channels, allowing attackers to run tools and collect domain credentials without exposing activity to traditional security tools.
The second campaign, STAC3725, relied on exploiting the CitrixBleed2 vulnerability to gain initial access before installing remote access software. Attackers then launched a QEMU virtual machine to manually assemble attack tools for credential theft and network reconnaissance.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
QEMU was abused as a stealth execution environment to hide attacker activity inside virtual machines, enabling covert remote access, credential theft, and network reconnaissance while evading endpoint defenses.
QEMU is used by attackers to create hidden virtual machines on compromised hosts, enabling stealthy execution of malicious payloads, credential harvesting, data staging, exfiltration, and reverse SSH backdoor access while evading endpoint security controls.
An open-source CPU emulator and virtualization tool abused by attackers to run hidden virtual machines on compromised hosts, execute payloads, store malicious files, and create covert remote access tunnels over SSH that evade host-based security visibility.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.