Beyond the bomb: When adversaries bring their own virtual machine for persistence

Red Canary Intelligence describes an intrusion where attackers used an email-bombing distraction and a vishing call to trick a user into granting Quick Assist, then introduced a QEMU VM running Windows 7 containing Sliver implants, a QDoor-like backdoor, and ScreenConnect to perform internal scanning, persistence, and C2 communications; the report details forensic findings, recovered artifacts, network indicators, and defensive recommendations.