- Hidden virtual machines allow attackers to bypass endpoint security and go undetected
- The attackers used trusted virtualization tools and embedded software to hide malicious activity.
- Sophos links campaigns using QEMU to ransomware deployment and long-term network access
Attackers are increasingly hiding malicious tools in virtual machines to bypass security controls.
Sophos analysts say the approach relies on virtualization software that security systems often view as legitimate activity.
In recent incidents, attackers used QEMU, an open source machine emulator and virtualizer, to run hidden environments in which malicious activity remained largely invisible to endpoint defenses and left little evidence on the host system.
Article continues below
A growing trend towards escapism
Sophos notes that while the method is not new, it has gained traction again, with two active campaigns, tracked under the names STAC4713 and STAC3725, identified since late last year.
In campaign STAC4713, attackers created a scheduled task named TPMProfiler to launch a hidden QEMU virtual machine with system-level privileges.
The virtual machine used disguised disk images, first appearing as database files and then masquerading as dynamic-link libraries.
Once launched, the virtual machine established reverse SSH tunnels that created covert remote access channels, allowing attackers to run tools and collect domain credentials without exposing the activity to traditional security tools.
Sophos investigators also observed attackers using built-in Windows utilities such as Microsoft Paint, Notepad and Edge to access files and discover the network. This relied heavily on trusted software to integrate malicious actions into routine system behavior.
Older campaign-related intrusions used exposed VPN systems without multi-factor authentication, while later incidents exploited a SolarWinds Web Help Desk vulnerability identified as CVE-2025-26399. These varied entry points show attackers adjusting their tactics based on available weaknesses.
Sophos associates the STAC4713 campaign with PayoutsKing ransomware, which focuses on encrypting virtualized environments.
The group behind the ransomware appears to target hypervisors and deploy tools that can run on VMware and ESXi systems.
The second campaign, STAC3725, relied on exploiting the CitrixBleed2 vulnerability to gain initial access before installing remote access software.
The attackers then launched a QEMU virtual machine to manually assemble attack tools for credential theft and network reconnaissance.
Rather than providing ready-to-use payloads, the attackers compiled their toolsets into the virtual machine after gaining access. This approach allowed them to personalize attacks and reduce the risk of detection by signature-based defenses.
Sophos warns that hiding activities inside virtual machines represents a growing trend of evasion. Strong endpoint protection, network monitoring, and rapid patching of exposed systems are essential to reducing risk.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
