In an effort to circumvent traditional security controls, hackers are increasingly relying on virtualisation as a covert execution layer, embedding malicious operations within QEMU environments. As observed in observed incidents, adversaries deployed concealed virtual machines in which tooling and command execution occurred largely beyond the detection range of endpoint detection systems, leaving minimal forensic artifacts on the operating system.
In most cases, these environments are introduced as virtual disk images disguised under atypical file extensions such as .db or .dll and triggered by scheduled tasks with SYSTEM level privileges to create a parallel runtime that blends with legitimate processes.
According to analysts at Sophos, such techniques take advantage of the trust associated with widely used virtualization software. This pattern extends to platforms such as Microsoft Hyper-V, Oracle VM VirtualBox, and VMware, among others.
These tactics reflect a broader strategic shift in which legitimate infrastructure is used to create isolated, low-noise environments that allow ransomware deployment while retaining effective anonymity to host-based defenses. Based on this pattern, researchers at Sophos have highlighted that QEMU misuse is not a recent development, but its resurgence in recent operations signals a renewed tactical emphasis on the use of QEMU.
In late 2025, analysts have identified two separate ransomware campaigns, STAC4713 and STAC3725, which use virtualised environments to avoid detection, and STAC4713 is specifically associated with the financial-motivated PayoutsKing cluster of ransomware activities.
An attacker established persistence for this campaign by creating a scheduled task, “TPMProfiler,” which executed a concealed virtual machine with SYSTEM-level privileges.
A disk image deployment was implemented in which benign assets were deliberately disguised as benign assets, initially appearing as database files, but later taking on the appearance of dynamic link libraries in order to blend seamlessly into routine system artifacts.
Once active, the virtual instance initiated reverse SSH tunneling mechanisms and port-forwarding mechanisms, forming covert communication channels that enabled sustained remote access while remaining outside the scope of conventional monitoring tools.
During this isolated Alpine Linux environment, adversaries employed a compact toolkit that enabled tunneling, obfuscation, and data exfiltration, facilitating credential harvesting, the extraction of Active Directory databases, as well as the lateral exploration of network shares, all by utilizing legitimate system utilities.
By integrating trusted binaries and hidden virtual infrastructure, this intentional convergence highlights a refined intrusion model where malicious activity is woven into normal system behavior, increasing the difficulty of detecting and responding to intrusions.
A further investigation of STAC4713 has revealed its origin dates are November 2025, when it has been associated with the GOLD ENCOUNTER threat group and directly associated with PayoutsKing ransomware, a ransomware operation that differs from the conventional ransomware-as-a-service environment by executing intrusions without the assistance of affiliates.
After emergence in mid-2025, the group has demonstrated a focus on hypervisor-centric environments, developing customized encryption tools for platforms such as VMware and VMware ESXi, signaling a deliberate shift towards infrastructure-level disruption.
Additionally, a second campaign, STAC3725, appeared in February 2026. This campaign accessed the system via the CVE-2025-5777 exploit chain before deploying a malicious instance of ConnectWise ScreenConnect to secure persistence.
Using this foothold, attackers orchestrated credential harvesting against Active Directory environments using a concealed QEMU virtual machine.
The intrusion sequence in STAC4713 is well-planned, beginning with the creation of the “TPMProfiler” scheduled task which executes qemu-system-x86_64.exe with SYSTEM privileges. As a result, the boot-up of a virtual hard drive image disguised as benign files initially "vault.db" and later renamed "bisrv.dll" -- was used to evade scrutiny.
In addition to this obfuscation, network manipulation techniques are employed, including port forwarding from non-standard ports such as 32567 and 22022 to SSH port 22, while reverse tunnels involving AdaptixC2 or OpenSSH are used to maintain persistent and covert connectivity to attacker-controlled networks.
Embedded virtual machines operate on Alpine Linux 3.22.0 images preconfigured to offer a compact but robust toolkit that enables the rapid transfer of data and execution of commands.
The toolkit includes Linker2, AdaptixC2, WireGuard's WireGuard Obfuscation Layer (wg-obfuscator), BusyBox, Chisel, and Rclone.
In contrast, STAC3725 utilizes a more adaptive approach, compiling its toolset within a virtual environment in situ, including frameworks such as Impacket, KrbRelayX, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit, as well as Python, Rust, Ruby, and C dependencies.
Post-compromise activities include credential extraction, Kerberos user enumeration via Kerbrute, Active Directory reconnaissance via BloodHound, and payload staging over FTP channels, demonstrating a methodical and deeply embedded attack model in which virtualization serves not only as a concealment mechanism, but also as a platform for sustained intrusion.
In sum, STAC4713 and STAC3725's activity indicate a calculated evolution in adversary tradecraft where virtualisation is no longer just a peripheral tactic for evasion but rather a critical component of adversary operations.
A malicious workflow may be embedded within QEMU instances and aligned with trusted system processes, thus decoupling attackers' activities from the host environment.
As a result, conventional endpoint controls will be unable to detect the attacker's activities while maintaining persistent, low-noise access.
By employing disguised storage artifacts, executing tasks at the SYSTEM level, and utilizing encrypted communication channels, a disciplined approach to stealth is demonstrated, while the integration of credential harvesting, Active Directory reconnaissance, and lateral movement capabilities highlights the end-to-end nature of the intrusion.
Sophos has observed that the resurgence of such campaigns indicates a broader industry challenge, in which legitimate infrastructure and administrative tools are increasingly repurposed to undermine defensive assumptions.
Virtualised attack frameworks, with their convergence of concealment, persistence, and operational depth, provide a formidable vector for modern ransomware operations, requiring an extension of detection strategies beyond the host to virtual layers where adversaries are actively exploiting these vulnerabilities.
.jpg)
