SOPHOS researchers have reported a rise in attackers abusing QEMU, an open-source emulator, to hide malicious activity inside virtual machines, enabling malware to run in a VM while bypassing endpoint security controls and leaving minimal traces on the host. The technique, though not new, is becoming more frequent, with two campaigns identified since late 2025—STAC4713 and STAC3725—and STAC4713 is linked to data theft and the deployment of PayoutsKing ransomware, attributed to the GOLD ENCOUNTER group.
In STAC4713, attackers create a scheduled task named “TPMProfiler” to launch a hidden VM with SYSTEM privileges, using disk images disguised as legitimate files and establishing persistence through port forwarding and reverse SSH tunnels. Inside the VM, a lightweight Alpine Linux environment runs tools for tunnelling, obfuscation, and data transfer, while attackers use legitimate system utilities to extract credentials and copy Active Directory databases.
From early 2026, Sophos notes a shift towards exploiting exposed VPNs and social engineering to trick users into installing remote tools, with PayoutsKing encryptors targeting VMware and ESXi environments, and STAC3725 exploiting CitrixBleed2 to install a ScreenConnect client for persistence and control. According to Sophos, the GOLD ENCOUNTER group is linked to these campaigns, and ongoing indicators of compromise and defensive recommendations are provided.