Attackers are exploiting QEMU, an open-source emulator, to conceal malware within virtual machines, thereby evading detection and stealing sensitive data. By running malicious code in a virtual environment, attackers can bypass endpoint security controls and leave few traces on the host system, enabling them to maintain prolonged access and exfiltrate data without being detected. This tactic also allows them to deploy ransomware, such as PayoutsKing, at a later stage. Researchers at Sophos have observed a surge in the use of this technique, which, although not novel, is becoming increasingly prevalent1. The stealthy nature of this approach makes it particularly challenging for security teams to detect and respond to these types of threats. As a result, practitioners must be vigilant and implement robust security measures to prevent and detect such hidden virtual machine attacks, which can have severe consequences for affected organizations.
Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware
⚠️ Critical Alert
Why This Matters
This approach allows them to maintain long-term access, steal credentials, exfiltrate data, and eventually deploy ransomware such as PayoutsKing.
References
- SecurityAffairs. (2026, April 18). Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware. SecurityAffairs. https://securityaffairs.com/190982/security/hidden-vms-how-hackers-leverage-qemu-to-stealthily-steal-data-and-spread-malware.html
Original Source
SecurityAffairs
Read original →