Hackers Disguise Entire Operating Systems as Ordinary Files: New Tactic to Evade Antivirus
Cybercriminals have found a way to hide malicious activity inside legitimate virtualization tools. Using QEMU, attackers run entire operating systems that go undetected by standard security measures. This technique is already being used in several ransomware campaigns.
How the QEMU-Based Attack Works
QEMU is a popular open-source software for emulation and virtualization. In the hands of attackers, it becomes a powerful tool for hiding traces. Instead of running malicious processes directly on the infected system, hackers deploy a virtual machine (VM) inside it. All malicious actions are performed inside this VM, while only legitimate QEMU processes remain on the host.
The virtual disk image is disguised as ordinary files—for example, databases or DLL libraries. Communication with the command server is carried out through reverse SSH tunnels, making it difficult to detect network anomalies.
Two Campaigns: STAC4713 and STAC3725
Sophos researchers have identified at least two separate campaigns using this technique.
Campaign STAC4713
In this campaign, active since late 2025, attackers deployed a hidden VM via a TPMProfiler task running with SYSTEM privileges. Inside the VM, a full set of tools for remote access, credential theft, and data exfiltration was placed. The campaign is linked to the distribution of the PayoutsKing ransomware. Analysts believe it is orchestrated by the GOLD ENCOUNTER group, which specializes in attacks on virtualized infrastructure (VMware, ESXi).
Campaign STAC3725
Starting in February 2026, this campaign exploits the CitrixBleed2 vulnerability in NetScaler. After the breach, hackers install a malicious ScreenConnect client, create a local administrator account, and launch QEMU with an Alpine Linux image. Unlike the first campaign, reconnaissance tools are gathered inside the VM: Impacket, BloodHound, Kerbrute, Metasploit, and others are used.
Why This Is Dangerous: Stealth and Long-Term Access
The main danger of this approach is that malicious activity leaves almost no traces on the host system. Antivirus and EDR solutions only see the legitimate QEMU process and cannot look inside the virtual machine. This gives attackers long-term hidden access, simplifies lateral movement across the network, and allows them to quietly prepare a ransomware attack.
How to Defend: Expert Recommendations
Sophos recommends the following measures to detect such attacks:
- Check the environment for unauthorized QEMU installations.
- Monitor suspicious tasks running as SYSTEM.
- Detect unusual SSH port forwarding.
- Watch for unusual virtual disk files.
Key Takeaways
- Hackers use the legitimate QEMU tool to run hidden virtual machines.
- VM images are disguised as ordinary files (databases, DLLs).
- Attacks bypass antivirus and EDR, remaining undetected.
- Two campaigns identified: STAC4713 (PayoutsKing) and STAC3725 (CitrixBleed2).
- Monitor for unauthorized QEMU installations and suspicious SSH tunnels.
Context and Implications
Using virtualization to hide malicious activity is an evolution of cybercriminal tactics. Previously, legitimate system utilities (LOLBins) were used for this purpose, but QEMU offers broader capabilities. The number of such attacks is expected to grow, especially in corporate environments where virtualization is widespread. Companies need to adapt their defense strategies, including behavioral analysis and hypervisor-level monitoring.
— Editorial Team
No comments yet.