Beyond the bomb: When adversaries bring their own virtual machine for persistence

Source: The Red Canary Blog: Information Security Insights

Author: Tony Lambert

URL: https://redcanary.com/blog/threat-intelligence/email-bombing-virtual-machine/

ONE SENTENCE SUMMARY:

In 2025, adversaries used social engineering and a custom QEMU VM to achieve persistence following a spam bombing attack.

MAIN POINTS:

1. Red Canary Intelligence detected a unique tactic involving a QEMU VM after a spam bombing.
2. Adversaries posed as tech support following the email attack to gain trust.
3. Quick Assist was used for remote access, leading to VM deployment.
4. The VM enabled internal network reconnaissance and connection to a C2 server.
5. Sliver framework was used for command and control.
6. Forensic analysis revealed activity through prefetch, browser history, and other artifacts.
7. Sliver, ScreenConnect, and QDoor were part of the adversary’s toolkit.
8. Deleted files and volume shadow copies offered recovery opportunities.
9. This represents a shift in adversary tactics, highlighting advanced persistence methods.
10. Emphasizes the need for robust defense strategies including social engineering training and remote access monitoring.

TAKEAWAYS:

1. Adversaries are using VMs to bypass detection and maintain persistence.
2. Social engineering is a critical tool in sophisticated attacks.
3. Remote access tools can be leveraged for malicious purposes.
4. Network reconnaissance is crucial for adversaries’ internal mapping.
5. Multi-layered defense is essential to counter evolving adversary tactics.