**QEMU** is an open-source CPU emulator and system virtualization tool that enables users to run operating systems as virtual machines (VMs) on a host computer. Because security solutions on the host often cannot scan inside these VMs, threat actors are increasingly abusing **QEMU** for malicious purposes. ### QEMU Abuse on the Rise This technique has been observed in past operations by various threat actors, including the **3AM** ransomware group, **LoudMiner** cryptomining campaigns, and **CRON#TRAP** phishing attacks. Cybersecurity firm **Sophos** recently documented two campaigns where attackers deployed **QEMU** to collect domain credentials as part of their attack arsenal. One campaign, tracked by **Sophos** as STAC4713, was first observed in November 2025 and is linked to the **Payouts King** ransomware operation. The other, tracked as STAC3725 and observed in February, exploits the **CitrixBleed 2** (**CVE‑2025‑5777**) vulnerability in **NetScaler ADC** and **Gateway** instances. ### Payouts King and GOLD ENCOUNTER Researchers have linked the threat actors behind the STAC4713 campaign to the **GOLD ENCOUNTER** threat group, known for targeting hypervisors and encryptors for **VMware** and **ESXi** environments. According to **Sophos**, the attackers create a scheduled task named ‘TPMProfiler’ to launch a hidden **QEMU** VM as SYSTEM. They use virtual disk files disguised as databases and DLL files, and set up port forwarding to provide covert access to the infected host via a reverse SSH tunnel. The VM runs **Alpine Linux** version 3.22.0, which includes attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone. **Sophos** reports that initial access was achieved via exposed **SonicWall** VPNs, while exploitation of the **SolarWinds** Web Help Desk vulnerability **CVE-2025-26399** was observed in more recent attacks. Post-infection, the threat actors use VSS (vssuirun.exe) to create a shadow copy, then use the print command over SMB to copy NTDS.dit, SAM, and SYSTEM hives to temp directories. Recent incidents attributed to this actor relied on different initial access vectors. In one attack in February, **GOLD ENCOUNTER** used an exposed **Cisco** SSL VPN. In March, they impersonated IT staff and tricked employees via **Microsoft Teams** into downloading and installing **QuickAssist**. "In both instances, the threat actors used the legitimate ADNotificationManager.exe binary to sideload a **Havoc C2** payload (vcruntime140_1.dll) and then leveraged Rclone to exfiltrate data to a remote SFTP location," **Sophos** noted. According to a **Zscaler** report, **Payouts King** is likely connected to former **BlackBasta** affiliates, based on its use of similar initial access methods such as spam bombing, **Microsoft Teams** phishing, and **Quick Assist** abuse. The ransomware employs heavy obfuscation and anti-analysis mechanisms, establishes persistence via scheduled tasks, and terminates security tools using low-level system calls. The **Payouts King** encryption scheme uses AES-256 (CTR) with RSA-4096, with intermittent encryption for larger files. The ransom notes direct victims to leak sites on the dark web.  ### CitrixBleed 2 Exploitation The second campaign observed by **Sophos** (STAC3725) has been active since February and exploits the **CitrixBleed 2** vulnerability to gain initial access. After compromising **NetScaler** devices, the attackers deploy a ZIP archive containing a malicious executable that installs a service named ‘AppMgmt,’ creates a new local admin user (CtxAppVCOMService), and installs a **ScreenConnect** client for persistence. The **ScreenConnect** client connects to a remote relay server and establishes a session with system privileges, then drops and extracts a **QEMU** package that runs a hidden **Alpine Linux** VM using a custom.qcow2 disk image. Instead of using a pre-built toolkit, the attackers manually install and compile their tools, including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and **Metasploit**, inside the VM. Observed activity includes credential harvesting, Kerberos username enumeration, **Active Directory** reconnaissance, and staging data for exfiltration via FTP servers. ### Mitigation Recommendations **Sophos** recommends that organizations look for unauthorized **QEMU** installations, suspicious scheduled tasks running with SYSTEM privileges, unusual SSH port forwarding, and outbound SSH tunnels on non-standard ports.