Hiding in the Shadows: Covert Tunnels via QEMU Virtualization

TrustedSec investigated an intrusion where an attacker used a Microsoft Teams vishing call and Quick Assist/Zoho Meeting to convince a user to download artifacts that deployed portable QEMU VMs (Tiny Core Linux) on the host. The attacker used those VMs to attempt persistence (editing bootlocal.sh and filetool.lst), install OpenSSH, and create a reverse SSH tunnel to external IPs to maintain covert access; the report includes filenames, MD5 hashes, and attacker-controlled IPs as IOCs and recommends reimaging, credential resets, and controls on remote tools and virtualization.