QEMU Abused to Evade Detection and Enable Ransomware Delivery

    Wednesday, April 22, 2026 In: Threat Research Print

    Date: 04/22/2026

    Severity: High

    Summary

    Threat actors are increasingly abusing the open-source virtualization tool QEMU as a Living-off-the-Land (LOLBins) technique to conceal malicious activity within virtual machines, effectively bypassing endpoint security and reducing forensic visibility on host systems. This approach has been used in multiple campaigns to support covert operations such as command-and-control communication, network tunneling, and malware deployment, including ransomware. The growing use of QEMU highlights its role in defense evasion and stealthy attack execution.  

    Indicators of Compromise (IOC) List 

    Domains/Urls

    vtps.us

    IP Address

    144.208.127.190

    74.242.216.76

    194.110.172.152

    98.81.138.214

    158.158.0.165

    Hash

    7ae413b76424508055154ee262c7567705dc1ac00607f5ac2e43d032221b34b3

    f3194018d60645e43afabac33ceb4e852f95241b410cd726b1c40e3021589937

    c6b848c6a61685724fa9e2b3f6e3a118323ee0c165d1aa8c8a574205a4c4be59

    a65f0144101d93656c5f9ad445b3993336e1f295a838351aeca6332c0949b463

    61c14c01460810f6f5f760daf8edbda82eea908b1a95052f8e0f9c4162c2900c

    3a33b5bceb1eba4cc749534b03dd245f965d8f200aa02392baad78f5021a20ff

    25e4d0eacff44f67a0a9d13970656cf76e5fd78c

    6c09b0d102361888daa7fa4f191f603a19af47cb

    66dc383e9e0852523fe50def0851b9268865f779

    903edad58d54f056bd94c8165cc20e105b054fa8

    8c8e75dc4b4e1f201b56133a00fa9d1d711ccb50

    f7a11aeaa4f0c748961bbebb2f9e12b6

    b752ebfc1004f2c717609145e28243f3

    b186baf2653c6c874e7b946647b048cc

    6f55743091410dad6cdb0b7e474f03e7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "vtps.us" or url like "vtps.us" or siteurl like "vtps.us"

    Detection Query 2 :

    dstipaddress IN ("98.81.138.214","194.110.172.152","158.158.0.165","74.242.216.76","144.208.127.190") or srcipaddress IN ("98.81.138.214","194.110.172.152","158.158.0.165","74.242.216.76","144.208.127.190")

    Detection Query 3 :

    md5hash IN ("6f55743091410dad6cdb0b7e474f03e7","f7a11aeaa4f0c748961bbebb2f9e12b6","b752ebfc1004f2c717609145e28243f3","b186baf2653c6c874e7b946647b048cc")

    Detection Query 4 :

    sha1hash IN ("8c8e75dc4b4e1f201b56133a00fa9d1d711ccb50","25e4d0eacff44f67a0a9d13970656cf76e5fd78c","6c09b0d102361888daa7fa4f191f603a19af47cb","66dc383e9e0852523fe50def0851b9268865f779","903edad58d54f056bd94c8165cc20e105b054fa8")

    Detection Query 5 :

    sha256hash IN ("3a33b5bceb1eba4cc749534b03dd245f965d8f200aa02392baad78f5021a20ff","7ae413b76424508055154ee262c7567705dc1ac00607f5ac2e43d032221b34b3","f3194018d60645e43afabac33ceb4e852f95241b410cd726b1c40e3021589937","c6b848c6a61685724fa9e2b3f6e3a118323ee0c165d1aa8c8a574205a4c4be59","a65f0144101d93656c5f9ad445b3993336e1f295a838351aeca6332c0949b463","61c14c01460810f6f5f760daf8edbda82eea908b1a95052f8e0f9c4162c2900c")

    Reference:    

    https://www.sophos.com/en-gb/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery            


    Tags

    Threat ActorRansomwareLOLBinsCommunications

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.