Back

Hackers Exploit QEMU VMs to Evade Detection and Deploy Ransomware

Severity: High (Score: 66.5)

Sources: Cybernews, News.Sophos

Summary

Hackers are utilizing QEMU, an open-source virtual machine emulator, to create hidden Linux environments within Windows systems, effectively evading endpoint security tools. This method allows for long-term access, credential theft, data exfiltration, and the deployment of ransomware, specifically the PayoutsKing variant. Sophos researchers have identified multiple threat actors, including STAC4713 and STAC3725, who are leveraging this technique to install a full suite of attack tools within the virtual machines. The attackers disguise the VM's disk image and use native Windows applications for reconnaissance and data access. This trend highlights a growing evasion strategy in cybercrime, with significant implications for enterprise security as malicious activities within VMs remain largely undetectable. The use of QEMU represents a critical shift in tactics among cybercriminals, emphasizing the need for enhanced detection capabilities. Current reports indicate active exploitation campaigns are ongoing. Key Points: • Hackers are using QEMU to run hidden Linux VMs inside Windows, evading security tools. • The PayoutsKing ransomware is being deployed through these covert virtual machines. • Malicious activities within VMs are nearly invisible to traditional endpoint security solutions.

Key Entities

  • Data Breach (attack_type)
  • Malware (attack_type)
  • Ransomware (attack_type)
  • GOLD Encounter (campaign)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1033 - System Owner/User Discovery (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • Alpine Linux (platform)
  • Linux (platform)
  • Windows (platform)
  • Edge (platform)
  • Hyper-V (platform)
  • PayoutsKing (ransomware_group)
  • Bloodhound.py (tool)
  • Coercer (tool)
  • Impacket (tool)
  • Kerbrute (tool)
  • KrbRelayx (tool)
  • CitrixBleed2 (vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed