InfoGuard Cyber Security and Cyber Defence Blog

VM-based Evasion: How to recognize Attacks despite XDR Blind Spots

Written by Stefan Rothenbühler | 08 Dec 2025

In the global threat intel community, as well as our incident responder team at InfoGuard, we have noticed a worrying trend in recent months: attackers are increasingly using virtualization technologies to hide their activities from security solutions. The motto is no longer just "Living off the Land", but "Bring Your Own Land".

XDR as a blind spot: How a VM acts as a cloak of invisibility

Modern XDR and antivirus solutions are deeply embedded in the operating system (kernel callbacks). In principle, they see everything that the host operating system sees. But this is precisely the crux of the matter: if an attacker starts a virtual machine (VM) on the host, the XDR often only recognizes a single process: the hypervisor (e.g. "qemu.exe" or "VBoxHeadless.exe"). What happens within this VM - which malware is executed and which C2 connections are established - usually remains a "black box" for the XDR on the host.

The attacker creates an isolated environment in which he can operate undisturbed. He only uses the host as a transit station for network traffic and accesses its file system using "shared folders".

What's more, features such as the Windows Subsystem for Linux (WSL) are now available as standard on many devices. For hackers, this is like an open barn door: a complete Linux arsenal, pre-installed and immediately available, but often out of sight of the XDR.

Ransomware and APTs: How VM-based attacks remain undetected

VM stealth attacks are no longer just theory. Various threat actors are already actively using virtualization-based techniques, so-called ghost machines, "in the wild".

Ragnar Locker & the Windows XP VM

One of the most prominent cases was the ransomware group Ragnar Locker. To evade detection, the attackers loaded a complete Oracle VirtualBox installer and a tiny, preconfigured Windows XP image onto the victim systems.

The trick: the ransomware ran in the virtual machine. The local hard disk of the host was mounted as a network drive in the VM via "shared folders". The encryption therefore took place from the VM.

For the XDR on the host, the processes merely looked like normal, unsuspicious write accesses by the VirtualBox process.

QEMU tunneling

Advanced attacker groups (such as APT28 or criminal actors around Maze) use QEMU, an open source emulator.

Since QEMU does not require installation (a portable binary exists), it can simply be copied onto a compromised system. The attackers run a minimal Linux image on it to set up C2 tunnels or execute lateral movement tools.

For a Security Operations Center (SOC), what happens often appears as if a regular, unsuspicious application were running.

WSL - the wolf in sheep's clothing

The use of WSL2 is particularly perfidious. As WSL2 is closely interlinked with the Windows kernel, it is often classified as trustworthy.

Attackers use "bash.exe" or "wsl.exe" to execute Linux payloads (ELF binaries) on a Windows host.

As many classic AV scanners primarily search for Windows malware (PE files), Linux tools (such as Python scripts or Linux backdoors) are simply overlooked or ignored.

4 Threat-hunting approaches: The ghost machine hunt begins

As sophisticated as VM-based attacks are, they are not completely undetectable. A virtual machine always uses resources such as CPU, RAM, disk I/O and network. These traces provide clear starting points for threat hunters.

Below are the four most important threat hunting approaches for your hunt for ghost machines:

1. process monitoring

Search for known virtualization processes that are started from unusual directories or atypical users.

  • QEMU "qemu-system-x86_64.exe" started from C:\Users\Public\Temp\ or C:\Users\<User>\AppData\.
  • VirtualBox "VBoxHeadless.exe" without the associated GUI frontend.
  • Hyper-V: "vmwp.exe", which is unexpectedly active on the system.
  • WSL: "wsl.exe or bash.exe", which establish connections to external IPs, are executed from PowerShell or in turn start PowerShell processes.

Figure 1: The Velociraptor artifact "Windows.Detection.HyperV" lists running "vmwp.exe" processes and thus facilitates the identification of suspicious VMs.

2. file system artifacts

Virtual machines require hard disk images. These files are usually large and have specific extensions. A hunting scan for such files in user profiles can be worth its weight in gold:

  • File types such as .vmdk, .vdi, .qcow2 (QEMU/KVM), .vhdx or .vhd.
  • Large files (>500MB) in temporary folders with random names.

Figure 2: The "WSLFileFinder" artifact allows a view into the WSL container.

3. network anomalies

The network traffic from the VM must pass through the host. Attackers often use NAT (Network Address Translation) for this.

  • Hunting for processes such as hypervisor processes that open ports or generate unusual traffic, such as SSH traffic via port 443.
  • If a single process such as "qemu-system-x86_64.exe" establishes connections to hundreds of internal IPs (scanning), this is also an indicator to be checked.

4. event logs check

With WSL and Hyper-V, Windows is busy writing logs.

  • Search for events that indicate the activation of features (e.g. dism /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux).
  • Short-term service installations of VirtualBox or Vmware drivers.

Human-AI teaming: The human checks what the green tick promises

The use of virtualization to bypass security controls is a trend that is likely to become even more important. It provides attackers with an almost invisible, fully controlled environment directly in the victim network.

For cyber defense, this means that we cannot blindly rely on the "green tick" of our XDR. We need to understand what is possible on our endpoints. Is WSL activated? Is every user allowed to use Hyper-V?

We need to adapt our detection rules based on these findings. If you only look for malware, you might not find anything. However, if you hunt for behavioural anomalies in virtualization software, with a little luck and expertise you can score a decisive hit!

Here are the three key takeaways to guide the further development of your security measures:

  • XDR Blind Spots: Malware within a VM is often not detected by the host AV.
  • LOLBins: WSL and Hyper-V are powerful tools that can be used against us.
  • Detection: Focus on processes, large image files, network behavior of hypervisor processes and artifacts such as the activation of features in the EventLog.

Anyone hunting hidden machines needs clear traces. We provide them.

Virtual machines as cloaking devices are increasingly presenting XDR solutions with drastic challenges. To prevent such hidden structures from becoming a blind spot in the first place, we support our managed security customers with regular threat hunting analyses that uncover precisely these behavioral patterns.

For organizations without this managed security support, an InfoGuard Compromise Assessment offers an equally thorough look beneath the surface.

Our experts examine your infrastructure for indicators of compromise, unusual behavior and indications of advanced threats. This includes insights from hundreds of real-world incident response deployments, darknet analysis and offensive research.

Contact us to answer the all-important question: Is someone already in your network - and if so, where and how further? We support you so that your organization is safe day after day.

 

 

Caption: Image generated with AI
View full post