Ransomware Reimagined: Attackers Deploy Their Own QEMU VM for Stealth and Persistence
Executive Summary
In early 2025, a sophisticated ransomware incident was revealed by Red Canary Intelligence when an adversary launched a coordinated attack combining email bombing, social engineering, and abuse of legitimate remote access tools. Initially, victims endured email inundation designed to cause confusion and open the door to a convincing technical support ruse. Leveraging remote assistance software, attackers deployed a custom QEMU virtual machine (VM) into the compromised environment—a novel method for persistent access. Within this VM, tools such as Sliver C2, QDoor backdoor, and ScreenConnect enabled internal reconnaissance, lateral movement, and external command and control, all while evading conventional endpoint security controls.
This incident is noteworthy for both its multi-layered attack chain and the adversary’s use of their own pre-configured VM for persistence, representing a shift toward virtualization-based evasion and resilience. The detection highlights a rise in blended attacks using social engineering, legitimate tools, and bespoke infrastructure, stressing the importance of defense-in-depth and advanced anomaly detection capabilities.
Why This Matters Now
The deployment of attacker-controlled virtual machines for persistence signals a new evolution in ransomware and intrusion tactics. Organizations must respond urgently, as traditional endpoint and EDR solutions may miss hostile VMs that emulate legitimate activity. Heightened vigilance and enhanced detection strategies are critical to counter these increasingly sophisticated campaigns.
Attack Path Analysis
Adversaries initiated a spam bombing campaign as a distraction, then exploited social engineering and remote access tools to gain a foothold. Leveraging legitimate privileges, they deployed a custom QEMU virtual machine to persist and evade endpoint controls. The adversary's VM conducted internal reconnaissance, scanning the network and querying services to map the environment for lateral movement. It established encrypted command and control channels with external servers, while deploying multiple backdoors for resilient access. Efforts plausibly included data aggregation and use of tools to facilitate exfiltration and anonymized access. Ultimately, the attackers aimed to deploy ransomware or disrupt business operations using their persistent VM and multiple payloads.
Kill Chain Progression
Initial Compromise
Description
Phishing (spam bombing) was used to overwhelm users, followed by a social engineering call posing as tech support to abuse Quick Assist and gain initial remote access.
Related CVEs
CVE-2015-3456
CVSS 7.7A buffer overflow vulnerability in QEMU's virtual floppy disk controller allows a privileged guest user to execute arbitrary code on the host with the privileges of the host's QEMU process.
Affected Products:
QEMU QEMU – < 2.3.0
Xen Project Xen – < 4.5.1
KVM KVM – < 2.3.0
Oracle VirtualBox – < 4.3.28
Exploit Status:
exploited in the wildCVE-2024-26327
CVSS 5.3A buffer overflow vulnerability in QEMU's SR-IOV emulation allows a malicious guest to crash QEMU, resulting in a denial of service.
Affected Products:
QEMU QEMU – 7.1.0 through 8.2.1
Exploit Status:
no public exploitCVE-2022-0358
CVSS 7.8A vulnerability in QEMU's virtio-fs daemon allows a local attacker to escalate privileges within the guest system.
Affected Products:
QEMU QEMU – < 6.2.0-7
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Valid Accounts
Remote Access Software
System Services: Service Execution
Application Layer Protocol: Web Protocols
Network Service Scanning
Scheduled Task/Job: Scheduled Task
Proxy: Multi-hop Proxy
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Log and Monitor Access to System Components
Control ID: 10.4.1
CISA Zero Trust Maturity Model 2.0 – Identity and Access Management – Least Privilege & Access Control
Control ID: ID.GOV-1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
NIS2 Directive – Incident Detection and Response
Control ID: Art. 21(2)(c)
DORA (Digital Operational Resilience Act) – Operational Security and Monitoring
Control ID: Art. 8(2)(b)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Virtual machine persistence attacks bypass traditional endpoint controls, threatening encrypted transaction data and requiring enhanced east-west traffic monitoring per compliance frameworks.
Health Care / Life Sciences
QEMU-based ransomware delivery through social engineering exposes patient data systems, demanding zero trust segmentation and HIPAA-compliant threat detection capabilities.
Professional Training
Social engineering targeting technical support scenarios highlights critical need for enhanced user awareness training against spam bombing and remote access tool abuse.
Computer/Network Security
Novel virtual machine deployment tactics require updated threat intelligence sharing, anomaly detection capabilities, and multicloud visibility solutions for comprehensive defense strategies.
Sources
- Beyond the bomb: When adversaries bring their own virtual machine for persistencehttps://redcanary.com/blog/threat-intelligence/email-bombing-virtual-machine/Verified
- VENOM: QEMU vulnerability (CVE-2015-3456) - Red Hat Customer Portalhttps://access.redhat.com/articles/1444903Verified
- VENOM (vulnerability) - Wikipediahttps://en.wikipedia.org/wiki/VENOMVerified
- CVE-2024-26327 Impact, Exploitability, and Mitigation Steps | Wizhttps://www.wiz.io/vulnerability-database/cve/cve-2024-26327Verified
- CVE-2022-0358 Impact, Exploitability, and Mitigation Steps | Wizhttps://www.wiz.io/vulnerability-database/cve/cve-2022-0358Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud Network Security Framework (CNSF) controls including zero trust segmentation, east-west traffic security, threat detection and egress enforcement would have restricted remote attacker movements, controlled internal VM networking, and provided visibility into abnormal use of remote access and tunneling. Distributed policy and deep inspection could contain and detect malicious behaviors across cloud and hybrid environments.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of abnormal remote assistance activity and suspicious process launches.
Control: Zero Trust Segmentation
Mitigation: VM deployment and related privileged actions could be restricted to approved identities and contexts.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized lateral traffic and flagged suspicious intra-network reconnaissance.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or detects unauthorized outbound traffic and known C2 destination attempts.
Control: Encrypted Traffic (HPE)
Mitigation: Inspection and monitoring of encrypted outbound data flows highlight exfiltration attempts.
Distributed, inline policy can block malicious file encryption activity or platform abuse in real time.
Impact at a Glance
Affected Business Functions
- IT Operations
- Data Security
- Network Management
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive internal data due to unauthorized access facilitated by the exploitation of QEMU vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation and tightly control network access between workloads and user segments to limit attacker movement.
- • Enable deep east-west traffic inspection and anomaly response to detect internal reconnaissance and abnormal VM activity.
- • Strictly enforce egress policy to prevent unauthorized outbound connections, especially to rare or known C2 destinations.
- • Monitor and alert on abnormal remote assistance tool usage and process execution, particularly the creation or launch of virtual machines.
- • Ensure continuous visibility and threat detection across hybrid and multi-cloud environments using CNSF-aligned distributed controls.
