Sophos reports an increase in threat actors abusing the QEMU machine emulator to create covert reverse SSH backdoors and deploy ransomware and remote access tools. Two campaigns—STAC4713 (linked to PayoutsKing/Gold Encounter) and STAC3725—leveraged exposed SonicWall VPNs, SolarWinds Web Help Desk (CVE-2025-26399), and CitrixBleed2 (CVE-2025-5777) to establish persistence, harvest credentials, and exfiltrate data. #GoldEncounter #QEMU
Keypoints
- Threat actors use QEMU VMs to create reverse SSH tunnels that enable direct access and payload delivery.
- STAC4713 exploited exposed SonicWall VPNs lacking MFA and later CVE-2025-26399 in SolarWinds Web Help Desk.
- STAC3725 abused CVE-2025-5777 (CitrixBleed2) and used a malicious ScreenConnect client to obtain persistence and retrieve QEMU artifacts.
- Attackers created scheduled tasks or services to launch QEMU with SYSTEM privileges, then harvested AD, SAM, and SYSTEM hives and performed reconnaissance.
- Organizations should search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels to detect compromise.
Read More: https://www.securityweek.com/hackers-abuse-qemu-for-defense-evasion/