QEMU abused to evade detection and enable ransomware delivery

Sophos warns of an uptick in threat actors abusing QEMU and hypervisor-based virtualization to run hidden VMs that host tooling for covert remote access, credential harvesting, lateral movement, and ransomware. The report documents two campaigns—STAC4713 (linked to PayoutsKing/GOLD ENCOUNTER) and STAC3725—that use scheduled tasks, reverse SSH tunnels, ScreenConnect implants, and exploited CVEs to maintain persistence and exfiltrate data, and provides IOCs and recommended detections.