- Hidden virtual machines allow attackers to bypass endpoint security and remain undetected
- Attackers used trusted virtualization tools and native software to hide malicious activity
- Sophos links campaigns using QEMU to ransomware deployment and long-term network access
Attackers are increasingly hiding malicious tools inside virtual machines to bypass security checks.
Sophos analysts say the approach relies on virtualization software, which security systems often treat as legitimate activity.
In recent incidents, attackers used QEMU, an open source machine emulator and virtualizer, to run hidden environments where malicious activity remained largely invisible to endpoint defenses and left minimal evidence on the host system.
The article continues below
A growing avoidance tendency
Sophos notes that while the method is not new, it has gained traction again with two active campaigns, tracked as STAC4713 and STAC3725, identified since late last year.
In the STAC4713 campaign, attackers created a scheduled task named TPMProfiler to launch a hidden QEMU virtual machine under system-level privileges.
The virtual machine used disguised disk images that first appeared as database files and later masqueraded as dynamic link libraries.
Upon launch, the virtual machine established reverse SSH tunnels that created secret remote access channels, allowing attackers to run tools and collect domain credentials without exposing activity to traditional security tools.
Sophos investigators also observed attackers using built-in Windows tools such as Microsoft Paint, Notepad and Edge for file access and network discovery. This relied heavily on reliable software to blend malicious actions into routine system behavior.
Older intrusions linked to the campaign used exposed VPN systems without multi-factor authentication, while later incidents exploited a SolarWinds Web Help Desk vulnerability tracked as CVE-2025-26399. These different entry points show attackers adjusting their tactics depending on available weaknesses.
Sophos links the STAC4713 campaign to the PayoutsKing ransomware, which focuses on encrypting virtualized environments.
The group behind the ransomware appears to target hypervisors and implement tools that can work across VMware and ESXi systems.
The second campaign, STAC3725, relied on exploiting the CitrixBleed2 vulnerability to gain initial access before remote access software was installed.
Attackers then launched a QEMU virtual machine to manually assemble credential theft and network reconnaissance attack tools.
Instead of delivering ready-made payloads, attackers compiled their toolkits inside the virtual machine after gaining access. This approach allowed them to customize attacks and reduce the chance of detection by signature-based defenses.
Sophos warns that hiding activity inside virtual machines represents a growing evasion trend. Strong endpoint protection, network monitoring and timely patching of exposed systems critical to reducing risk.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
