Back to Home

Ransomware attackers hide attacks via QEMU: how to protect yourself

The article analyzes a new ransomware technique using QEMU virtual machines to hide malicious activity. It examines Payouts King campaigns and attacks via the CitrixBleed 2 vulnerability, and provides recommendations for detection and protection.

Ransomware hides in virtual machines: new QEMU threat
Advertisement 728x90

Ransomware Groups Mask Malicious Activity with QEMU-Based Virtual Machines

Ransomware groups are increasingly using virtualization to hide their actions from security systems. Operators of the Payouts King ransomware and other cybercriminal groups deploy hidden virtual machines on compromised hosts, allowing them to bypass antivirus and EDR solutions.

How the QEMU Attack Works

Attackers inject the open-source QEMU hypervisor into the target system. Inside the virtual machine, a lightweight operating system such as Alpine Linux runs, leaving no traces on the host. All malicious tools, including remote access, data theft, and reconnaissance utilities, operate within this isolated environment, remaining invisible to host OS monitoring tools.

This approach offers attackers several advantages:

Google AdInline article slot
  • Malicious files are not scanned by the host antivirus.
  • Network connections initiated from the VM appear as legitimate QEMU traffic.
  • Any tools can be run inside the VM without risk of detection.

Two Campaigns: Payouts King and Attacks via Citrix Vulnerabilities

Sophos researchers documented two incidents where this technique was used. In the first case (STAC4713), the GOLD ENCOUNTER group, linked to the Payouts King ransomware, used QEMU for network persistence. The second case (STAC3725) was based on exploiting the CitrixBleed 2 vulnerability (CVE-2025-5777) in NetScaler devices.

Campaign STAC4713: Payouts King

Operators created a scheduled task named TPMProfiler that launched QEMU with SYSTEM privileges. Virtual disks were disguised as database files or DLLs. Inside the VM, Alpine Linux ran with pre-installed tools:

  • AdaptixC2 — for command channel management.
  • Chisel — for traffic proxying.
  • BusyBox — for executing system commands.
  • Rclone — for data theft.

Initial access was achieved through vulnerabilities in SonicWall VPN or SolarWinds Web Help Desk (CVE-2025-26399). After penetration, attackers extracted credentials from Active Directory using Volume Shadow Copy (VSS) and copying NTDS.dit, SAM, and SYSTEM files.

Google AdInline article slot

Campaign STAC3725: Attacks via CitrixBleed 2

In this attack, attackers exploited a vulnerability in NetScaler, then installed ScreenConnect for remote access and deployed QEMU with Alpine Linux. Unlike the first campaign, tools were assembled manually inside the VM. These included:

  • Impacket — for working with Windows network protocols.
  • KrbRelayx — for Kerberos attacks.
  • BloodHound.py — for Active Directory analysis.
  • Metasploit — for post-exploitation.

The goal was credential theft, domain reconnaissance, and preparation for data exfiltration via FTP.

Key Takeaways

  • Using QEMU allows ransomware to bypass most host security measures.
  • Payouts King is likely linked to former BlackBasta members, as evidenced by similar social engineering methods.
  • The ransomware uses AES-256 for data and RSA-4096 for keys, along with intermittent encryption for speed.
  • Companies are advised to monitor for unauthorized QEMU installations, suspicious SYSTEM-level tasks, and unusual SSH tunnels.

Context and Implications

The trend of using virtualization in attacks is growing. Previously, similar methods were used by the 3AM, LoudMiner groups and in the CRON#TRAP phishing campaign. To defend against such threats, organizations should implement hypervisor-level monitoring, restrict software installation rights, and use behavioral analysis.

Google AdInline article slot

— Editorial Team

Advertisement 728x90

Read Next