The article mentioned that it was used to gained a large company so I’m sure that was a huge benefit for the attacker. A lot of other tunneling mechanisms might have been blocked and easy to overlook QEMU.
Main thing that comes to mind is code signing and executable reputation. Here's my understanding: an unsigned exe on Windows throws up scary warnings to users before it will run, until that specific exe is trusted by enough users and added to some central database. If you signed with a legit EV certificate (at least ~$400/year) it's trusted implicitly and no warnings. If you sign with an OV[0] it will give warnings until the cert is trusted, but you can then use the cert to sign new exes (ie updates to the program).
I just ran `osslsigncode verify qemu-w64-setup-20231224.exe` and it appears it's signed but the 1 year cert expired in December 2023. Still, I would expect that QEMU releases tend to be trusted fairly quickly assuming a decent number of users.
[0]: open source options available for free[1] or ~$50/year[2]. If you get your app on the Microsoft App Store, they'll sign it for you which is also free ($19 lifetime account IIRC).