ACCORDING to Sophos, hackers have been abusing the QEMU machine emulator in at least two campaigns to deploy ransomware and remote access tools. The first campaign, observed in November 2025 and tracked as STAC4713, is potentially linked to the PayoutsKing ransomware, with attackers using QEMU as a covert reverse SSH backdoor for payload delivery and credential harvesting after compromising exposed SonicWall VPNs lacking MFA and then exploiting CVE-2025-26399 in SolarWinds Web Help Desk.
The attackers created a scheduled task to launch a QEMU VM with System privileges, enabling persistence and a reverse SSH tunnel for direct VM access, while Sophos also noted activity such as volume shadow copies, copying the AD database and hives, and network share discovery using native Windows tools.
A second campaign in February 2026, tracked as STAC3725, relied on CVE-2025-5777 (CitrixBleed2) and a ScreenConnect client to achieve persistence, with roughly a dozen tools and libraries deployed to harvest credentials and enumerate Kerberos accounts. Sophos says follow-on activity varied, and organisations are advised to search for rogue QEMU installations, unusual port forwarding, and outbound SSH tunnels.