How Ransomware Uses QEMU to Hide a Virtual Machine and Evade Security Tools

Attack Overview

Two campaigns STAC4713 (first seen Nov 2025) and STAC3725 (active Feb 2026) used QEMU to run a hidden Alpine Linux 3.22.0 VM on compromised Windows hosts. The VM runs with SYSTEM privileges and is disguised as normal files, making host‑based AV and EDR blind to its activity.

AV cannot scan files inside the VM.

EDR cannot see processes or network connections inside the VM.

Attackers can install any tool inside the VM as if it were a real server.

Key attributes:

Ransomware family: Payouts King (suspected former affiliates of BlackBasta).

Initial intrusion vectors: SonicWall VPN without MFA, SolarWinds Web Help Desk (CVE‑2025‑26399), Cisco SSL VPN, Microsoft Teams phishing delivering QuickAssist.

Malicious VM OS: Alpine Linux 3.22.0.

VM platform: QEMU.

Persistence: Scheduled task “TPMProfiler” running as SYSTEM.

VM disk disguise: Files masqueraded as SQLite .db and as a Visual C++ runtime .dll.

C2 channel: Reverse SSH tunnel.

Threat actor: GOLD ENCOUNTER (previously targeted VMware/ESXi).

Technical Deep Dive

Three‑stage Attack Chain

Stage 1 – Boundary breach : Early attacks (STAC4713) exploited an exposed SonicWall VPN lacking MFA. Later attacks (STAC3725) leveraged the SolarWinds Web Help Desk vulnerability (CVE‑2025‑26399), an exposed Cisco SSL VPN, and a Microsoft Teams phishing campaign that convinced users to install the legitimate remote‑support tool QuickAssist, which was then used to drop the payload.

Stage 2 – Establishing a foothold : After gaining access, the adversary installs QEMU on the Windows host and creates a disguised virtual‑disk file.

# Create a disk that looks like a SQLite DB but is a QEMU qcow2 image
TPMProfiler_suspicious.qcow2   # masqueraded as SQLite database
vcruntime140_1.dll              # masqueraded as Visual C++ runtime (actual payload)

# Create a persistent scheduled task named "TPMProfiler"
schtasks /create /tn "TPMProfiler" /tr "C:\Program Files\QEMU\qemu-system-x86_64.exe ..." /sc ONLOGON /ru SYSTEM

The QEMU VM runs with SYSTEM privileges; the disk files blend with normal system files.

Stage 3 – Inside‑VM operations : Inside the Alpine VM the attackers manually compile and run a suite of penetration tools, including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and the Metasploit Framework. All activity remains invisible to host‑based security products.

Data Exfiltration Techniques

Attackers use the Windows Volume Shadow Copy Service (VSS) and SMB to copy Active Directory database files.

# Create a shadow copy using the legitimate vssadmin tool
vssadmin create shadow /for=C:

# Copy NTDS.dit from the shadow volume
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Temp\

The harvested NTDS.dit, SAM, and SYSTEM hives, containing domain password hashes, are later exfiltrated via FTP, a less‑monitored outbound protocol.

Ransomware Characteristics (Zscaler report)

Heavy obfuscation and anti‑analysis techniques.

Multiple scheduled‑task persistence mechanisms.

Low‑level calls to terminate antivirus and EDR processes.

Encryption using AES‑256‑CTR plus RSA‑4096; intermittent encryption for large files.

Data‑leak extortion via dark‑web leak sites.

Why QEMU Became a Hacker Favorite

Legitimate tool weaponization

QEMU is an open‑source CPU emulator and system‑virtualizer praised for cross‑platform support, performance, and broad OS compatibility. These properties make it attractive to attackers because:

Installation does not trigger security alerts.

It provides full OS virtualization, not a sandbox.

It supports almost every mainstream OS and architecture.

Binaries can be compiled or downloaded on the target easily.

Blind spots in traditional security tools

Endpoint protection products assume malicious activity occurs on the host. QEMU VMs are invisible to:

EDR process monitoring.

Antivirus file‑system scanning.

Host network monitoring (unless special bridge configurations are used).

Historical cases

3AM ransomware used QEMU for reconnaissance.

LoudMiner installed a back‑doored Linux VM on Windows for mining.

CRON#TRAP phishing maintained persistence via a hidden Linux VM.

Payouts King differs by using QEMU as a complete attack platform rather than a single‑purpose tool.

Detection and Defense Recommendations

Indicators of Compromise

Scheduled tasks named "TPMProfiler".

QEMU processes running as SYSTEM.

Run schtasks /query /fo LIST /v to enumerate tasks.

Check for QEMU installation directories (e.g., C:\Program Files\QEMU).

Unusual listening ports such as 5555, 5900, 3128 that may indicate VM port forwarding.

Outbound SSH tunnels and FTP transfers.

AD anomalies: new local administrators, suspicious Kerberos service accounts, BloodHound artifacts.

Defensive Measures

Endpoint level :

Deploy application‑control policies that whitelist only approved software.

Enable advanced memory‑protection features in EDR to detect process injection and suspicious child processes.

Add alerts for installation of QEMU/KVM virtualization software in HIPS.

Network level :

Monitor non‑standard outbound protocols, especially SSH (22) and FTP (21).

Apply strict outbound firewall rules to block unauthorized tunnels and proxies.

Restrict SMB (445) traffic using least‑privilege principles.

Identity security :

Require MFA on all remote‑access services (VPNs, VDI, remote‑support tools).

Regularly audit local administrator group membership.

Monitor AD for abnormal Kerberos ticket request patterns.

Vulnerability management :

Prioritize patching of internet‑exposed services such as VPNs and remote‑support tools.

Specifically address CVE‑2025‑26399 (SolarWinds Web Help Desk) and other known exploited flaws.

Conclusion

The Payouts King campaign shows a qualitative leap: by running a fully hidden VM, attackers invalidate the assumption that malicious activity resides on the host. Legitimate system‑management tools like QEMU can be weaponized, lowering the barrier for sophisticated attack infrastructure. Defenders must shift from detecting malicious software to detecting anomalous behavior such as frequent VM launches, unusual system‑level processes, unauthorized network tunnels, and legitimate tools used for malicious purposes.