"Sophos has observed an uptick in abuse of QEMU since late 2025, particularly in campaigns linked to the PayoutsKing ransomware, which utilize covert reverse SSH backdoors for payload delivery."
"The attackers initially targeted exposed SonicWall VPNs lacking MFA, later exploiting CVE-2025-26399 in SolarWinds Web Help Desk to gain access and establish persistence through a scheduled task."
"In February 2026, a second campaign was tracked as STAC3725, relying on the exploitation of CVE-2025-5777 for initial access and a malicious ScreenConnect client for persistence."
Threat actors have been abusing QEMU, a cross-platform open source machine emulator, to deploy ransomware and remote access tools. Sophos reported an increase in such activities since late 2025, particularly linked to the PayoutsKing ransomware. Initial access was gained through exposed SonicWall VPNs and later through a vulnerability in SolarWinds Web Help Desk. Attackers established persistence by launching a QEMU VM with system privileges, creating reverse SSH tunnels for access. A second campaign in February 2026 exploited a Citrix vulnerability for initial access and used a malicious ScreenConnect client for persistence.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]