Cybercriminals exploited the open-source hypervisor QEMU to create a stealthy network tunnel in an attack against a large company. QEMU, typically used for running guest operating systems, was manipulated to establish a covert channel to a remote server. Kaspersky analysts discovered the attack, which used minimal resources to avoid detection. The attackers also employed ‘Angry IP Scanner’ for network scanning and ‘mimikatz’ for credential theft. Kaspersky emphasizes the need for multi-level protection, including 24/7 network monitoring, to detect the use of legitimate tools for malicious purposes.