In early 2025, Red Canary Intelligence observed a novel tactic from cyber adversaries that began with a spam bombing attack. After inundating a target’s inbox with thousands of unsolicited emails, the attacker posed as a technical support representative. This distraction allowed the adversary to gain the victim's trust and leverage remote assistance software, Quick Assist, to establish a foothold in the compromised environment. Instead of deploying standard malware, the attacker introduced a custom QEMU virtual machine. This VM, which was manipulated via a Visual Basic Script, facilitated reconnaissance by scanning the local network and establishing external connections, including to a command and control server. The VM’s operation raised red flags due to its unusual presence on a standard user’s system. An analysis of its network activity revealed connections to both internal and external addresses, including a domain linked to a C2 framework called Sliver. Forensic analysis of the VM’s disk image provided insights into the adversary’s actions. Timeline data showed the use of legitimate tools like ScreenConnect, as well as other executables that hinted at further malicious intentions. The VM ran Windows 7 Service Pack 1, suggesting the attacker might have used a pre-built template for their operations. This incident highlights a shift in adversary tactics, employing sophisticated social engineering and advanced tools to maintain persistence and evade detection.