Tech »  Topic »  Hackers Abuse QEMU for Defense Evasion

Hackers Abuse QEMU for Defense Evasion

2 hours ago   securityweek

Threat actors have been abusing QEMU in campaigns leading to the deployment of ransomware and remote access tools, Sophos reports.

A cross-platform open source machine emulator, QEMU allows users to run a guest VM on top of their operating system (VM host).

Over the past years, security researchers documented several malicious campaigns using QEMU to establish covert communication channels and deploy backdoors, and Sophos now says it has observed an uptick in abuse since late 2025.

As part of a campaign first observed in November 2025, tracked as STAC4713 and potentially linked to the PayoutsKing ransomware, threat actors used the machine emulator as a covert reverse SSH backdoor for payload delivery and credential harvesting.

At first, the hackers targeted exposed SonicWall VPNs that lacked MFA for initial access, but later switched to exploiting CVE-2025-26399, a remote code execution (RCE) vulnerability in SolarWinds Web Help Desk.

The attackers created a scheduled ...


Copyright of this story solely belongs to securityweek . To see the full text click HERE