• Hidden virtual machines allow attackers to bypass endpoint security and remain undetected
• Attackers used trusted virtualization tools and built-in software to disguise malicious activity
• Sophos links campaigns using QEMU to ransomware deployment and long-term network access

Attackers are increasingly hiding malicious tools inside virtual machines to slip past security controls.

Sophos analysts say the approach relies on virtualization software that security systems often treat as legitimate activity.

In recent incidents, attackers used QEMU, an open-source machine emulator and virtualizer, to run hidden environments where malicious activity remained largely invisible to endpoint defenses and left minimal evidence on the host system.

Article continues below

A growing evasion trend

Sophos notes that while the method is not new, it has gained traction again, with two active campaigns, tracked as STAC4713 and STAC3725, identified since the end of last year.

In the STAC4713 campaign, attackers created a scheduled task named TPMProfiler to launch a hidden QEMU virtual machine under system-level privileges.

The virtual machine used disguised disk images, first appearing as database files and later masquerading as dynamic link libraries.

Once launched, the virtual machine established reverse SSH tunnels that created covert remote access channels, allowingattackers to run tools and collect domain credentials without exposing activity to traditional security tools.

Sophos investigators also observed attackers using built-in Windows utilities such as Microsoft Paint, Notepad, and Edge for file access and network discovery. This relied heavily on trusted software to blend malicious actions into routine system behavior.

Older intrusions tied to the campaign used exposed VPN systems without multi-factor authentication, while later incidents exploited a SolarWinds Web Help Desk vulnerability tracked as CVE-2025-26399. These varied entry points show attackers adjusting their tactics depending on available weaknesses.

Sophos links the STAC4713 campaign to PayoutsKing ransomware, which focuses on encrypting virtualized environments.

The group behind the ransomware appears to target hypervisors and deploy tools that can operate across VMware and ESXi systems.

The second campaign, STAC3725, relied on exploiting the CitrixBleed2 vulnerability to gain initial access before installing remote access software.

Attackers then launched a QEMU virtual machine to manually assemble attack tools for credential theft and network reconnaissance.

Rather than delivering ready-made payloads, attackers compiled their toolsets inside the virtual machine after gaining access. That approach allowed them to customize attacks and reduce the chance of detection by signature-based defenses.

Sophos warns that hiding activity inside virtual machines represents a growing evasion trend. Strong endpoint protection, network monitoring, and timely patching of exposed systems critical to reducing risk.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.