Payouts King Ransomware Leverages QEMU Virtual Machines for Covert Operations and Advanced Evasion

The Payouts King ransomware operation has escalated the sophistication of its attacks by deploying the QEMU emulator as a reverse SSH backdoor, enabling the creation and operation of hidden virtual machines (VMs) on compromised systems. This innovative tactic allows the threat actors to bypass conventional endpoint security measures, establishing a formidable challenge for cybersecurity defenders. The adoption of QEMU, an open-source CPU emulator and system virtualization tool, permits the execution of entire operating systems within a host environment, effectively creating a blind spot for many security solutions that struggle to inspect activity occurring inside these stealthy virtualized containers.

This strategy is not entirely new to the realm of cybercrime; QEMU has been previously exploited by various malicious actors due to its inherent capabilities for evasion and stealth. Past instances include the 3AM ransomware group, the LoudMiner cryptomining operation, and the ‘CRON#TRAP’ phishing campaigns, all of whom recognized QEMU’s potential to facilitate covert remote access tunnels over SSH, execute payloads undetected, and store malicious files beyond the reach of traditional scanning tools. The re-emergence of QEMU in the Payouts King arsenal, as detailed in recent research by cybersecurity firm Sophos, signifies a concerning trend towards more advanced and evasive ransomware tactics.

Sophos’s comprehensive investigations have documented two distinct campaigns that prominently feature the abuse of QEMU. The first, tracked internally as STAC4713, was initially observed in November 2023 and has been definitively linked to the Payouts King ransomware operation. The second campaign, identified as STAC3725, came to light in February 2024 and distinguishes itself by exploiting the critical CitrixBleed 2 vulnerability (CVE-2025-5777) in NetScaler ADC and Gateway instances to gain initial access. These findings underscore a strategic shift by ransomware groups to leverage virtualization for enhanced stealth and operational resilience.

Understanding the QEMU Advantage in Cyberattacks

QEMU’s legitimate purpose is to virtualize hardware, allowing users to run different operating systems on a single physical machine without modification. For cybercriminals, this utility translates into a powerful tool for subterfuge. By creating a hidden VM, attackers can operate within an isolated environment on the victim’s system. This isolation means that typical endpoint detection and response (EDR) solutions, which primarily monitor the host operating system, often fail to detect malicious processes, file creations, or network communications originating from within the VM.

The use of a reverse SSH backdoor further amplifies the stealth of these operations. A reverse SSH tunnel allows the attacker to initiate a connection from the compromised host back to their command-and-control (C2) server, effectively bypassing firewall rules that typically block inbound connections. This creates a persistent, encrypted, and highly covert channel for command execution, data exfiltration, and further deployment of malicious tools, making it exceedingly difficult for network monitoring tools to identify suspicious activity. This technique represents a sophisticated evolution from simpler backdoors, demanding a more comprehensive approach to network security and threat hunting.

The Payouts King Modus Operandi: A Deep Dive into STAC4713

The STAC4713 campaign, attributed by Sophos researchers to the GOLD ENCOUNTER threat group, demonstrates a meticulous and multi-stage attack methodology. GOLD ENCOUNTER is a known entity in the cyber threat landscape, particularly recognized for its focus on targeting hypervisors and encryptors within VMware and ESXi environments. This expertise in virtualized infrastructures makes their adoption of QEMU a logical, albeit dangerous, progression.

The initial access vectors for STAC4713 have varied over time, indicating an adaptive approach by the attackers. Earlier incidents relied on exploiting exposed SonicWall VPNs, a common target for ransomware groups seeking to breach network perimeters. More recent attacks have been observed leveraging vulnerabilities in the SolarWinds Web Help Desk, specifically CVE-2025-26399, highlighting a continuous scanning and exploitation of publicly accessible services. Further evolution in their initial access methods was noted in February 2024, involving the exploitation of an exposed Cisco SSL VPN, and in March 2024, where threat actors resorted to social engineering, posing as IT staff on Microsoft Teams to trick employees into downloading and installing QuickAssist, a legitimate remote assistance tool abused for malicious purposes.

Once initial access is secured, the GOLD ENCOUNTER group establishes persistence and deploys its covert QEMU environment. This is achieved by creating a scheduled task named ‘TPMProfiler’, configured to launch a hidden QEMU VM with SYSTEM privileges – the highest level of authority on a Windows system. The virtual disk files necessary for the VM are ingeniously disguised as innocuous database and DLL files, further aiding in evasion. Crucially, port forwarding is meticulously set up to establish a reverse SSH tunnel, providing the attackers with persistent and covert access to the infected host.

The hidden VM itself runs a customized Alpine Linux version 3.22.0, a lightweight Linux distribution favored by attackers for its minimal footprint and efficiency. Within this virtualized environment, a suite of attacker tools is pre-installed, including AdaptixC2 for command and control, Chisel for tunneling, BusyBox for essential Unix utilities, and Rclone for data synchronization and exfiltration. This comprehensive toolkit enables the attackers to execute various post-infection activities with high efficiency and stealth.

A critical phase in the attack involves credential harvesting. The threat actors utilize the Volume Shadow Copy Service (VSS) through vssuirun.exe to create shadow copies of critical system files. Subsequently, they employ the print command over Server Message Block (SMB) to copy sensitive files such as NTDS.dit (Active Directory database), SAM (Security Account Manager), and SYSTEM hives to temporary directories. These files contain hashed credentials, enabling the attackers to move laterally within the network, escalate privileges, and gain control over the domain. In the exfiltration phase, the legitimate ADNotificationManager.exe binary is sideloaded with a Havoc C2 payload (vcruntime140_1.dll), and Rclone is leveraged to exfiltrate the stolen data to a remote SFTP location, demonstrating a sophisticated blend of living-off-the-land binaries and custom malware.

Ties to BlackBasta and Ransomware Mechanics

A recent report by Zscaler has drawn compelling parallels between Payouts King and former BlackBasta ransomware affiliates. This connection is primarily based on the striking similarities in their initial access methods, which include spam bombing, Microsoft Teams phishing campaigns, and the abuse of Quick Assist. The ransomware-as-a-service (RaaS) model often involves affiliates using shared or similar tools and tactics, which could explain these overlaps.

The Payouts King ransomware strain itself is characterized by heavy obfuscation and anti-analysis mechanisms designed to thwart security researchers and automated defenses. It establishes persistence through scheduled tasks and employs low-level system calls to terminate security tools, further cementing its hold on compromised systems. The encryption scheme utilized by Payouts King is robust, combining AES-256 (CTR) with RSA-4096. For larger files, it employs intermittent encryption, a tactic designed to speed up the encryption process and reduce the chances of detection, while still rendering the vast majority of the file unusable. Upon successful encryption, victims are directed to leak sites on the dark web via dropped ransom notes, a standard double-extortion tactic where data is threatened to be published if the ransom is not paid.

The CitrixBleed 2 Exploitation: Campaign STAC3725

The second campaign observed by Sophos, STAC3725, active since February 2024, highlights another vector of sophisticated attack, focusing on the exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777). This critical vulnerability affects NetScaler ADC and Gateway instances, which are widely used for application delivery and secure remote access. Exploiting such edge devices provides attackers with a high-privilege entry point into target networks.

Following the compromise of NetScaler devices, the attackers deploy a ZIP archive containing a malicious executable. This executable is designed to perform several critical functions: it installs a persistent service named ‘AppMgmt’, creates a new local administrator user account (‘CtxAppVCOMService’) to ensure continued access, and installs a ScreenConnect client. ScreenConnect, a legitimate remote access tool, is then used to connect to a remote relay server, establishing a high-privilege session that allows the attackers deep control over the compromised system.

Once this access is established, the attackers proceed to drop and extract a QEMU package, which then runs a hidden Alpine Linux VM using a custom .qcow2 disk image. Unlike the STAC4713 campaign, where a pre-built toolkit was observed, the threat actors behind STAC3725 manually install and compile their chosen tools directly within the VM. This bespoke approach further reduces the footprint of known malicious binaries on the host system, making detection even more challenging. The suite of tools includes Impacket for network protocol manipulation, KrbRelayx for Kerberos relay attacks, Coercer for credential dumping, BloodHound.py for Active Directory reconnaissance, NetExec for network enumeration, Kerbrute for Kerberos username enumeration, and Metasploit for general exploitation and post-exploitation tasks.

Observed activities within the STAC3725 campaign include extensive credential harvesting, exhaustive Kerberos username enumeration, and thorough Active Directory reconnaissance. This intelligence-gathering phase is crucial for lateral movement and identifying high-value targets within the network. Data staging for exfiltration is also a prominent feature, with information being prepared for transfer to external FTP servers, indicating the primary goal of data theft and subsequent extortion.

Broader Implications for Cybersecurity

The advanced tactics employed by Payouts King and related threat groups, particularly their adept use of QEMU for stealth and evasion, signal a critical evolution in the ransomware threat landscape. The increasing sophistication means that traditional, signature-based security solutions are becoming less effective. Attackers are moving towards techniques that blend legitimate tools with custom malware, creating a blurred line between benign and malicious activity, often referred to as "living off the land."

The implications for organizations are profound. The ability to create hidden VMs directly on a host system means that even with robust endpoint protection, malicious activities can proceed undetected for extended periods. This ‘dwell time’ allows attackers ample opportunity to conduct reconnaissance, steal credentials, exfiltrate sensitive data, and ultimately deploy ransomware with a higher success rate. The financial and reputational costs associated with such breaches are immense, often leading to significant operational disruptions, regulatory fines, and a loss of customer trust.

The exploitation of critical vulnerabilities like CitrixBleed 2 and exposed VPN services highlights the persistent importance of rigorous patch management and secure configuration. Attackers continuously scan for these weaknesses, and any unpatched system or misconfigured service can become an entry point for these highly capable threat actors.

Expert Recommendations and Mitigation Strategies

In light of these sophisticated attacks, cybersecurity experts, including Sophos, urge organizations to adopt a proactive and multi-layered defense strategy. Specific recommendations include:

1. Monitor for Unauthorized QEMU Installations: Implement robust monitoring solutions that can detect the presence of QEMU or similar virtualization software where it is not explicitly authorized for legitimate business purposes.
2. Scrutinize Scheduled Tasks: Regularly audit and monitor scheduled tasks, especially those running with SYSTEM privileges, for any suspicious entries that could be launching hidden VMs or other malicious processes.
3. Detect Unusual SSH Activity: Enhance network monitoring to identify unusual SSH port forwarding or outbound SSH tunnels on non-standard ports. This can indicate a reverse SSH backdoor being established.
4. Strengthen Initial Access Controls: Implement stringent security measures for internet-facing services, including VPNs, remote access gateways, and web help desk portals. This includes immediate patching of known vulnerabilities, strong multi-factor authentication (MFA), and robust intrusion prevention systems.
5. Proactive Threat Hunting: Move beyond reactive security to proactive threat hunting. Security teams should actively search for indicators of compromise (IOCs) and anomalous behaviors that might signify the presence of hidden VMs or living-off-the-land attacks.
6. Network Segmentation and Least Privilege: Implement network segmentation to limit lateral movement within the network. Enforce the principle of least privilege, ensuring users and systems only have access to the resources absolutely necessary for their function.
7. Security Awareness Training: Conduct regular and comprehensive security awareness training for employees to educate them about social engineering tactics, such as phishing and impersonation, which are frequently used for initial access.
8. Regular Backups and Incident Response Plan: Maintain immutable, offline backups of critical data and have a well-tested incident response plan in place to minimize the impact of a successful ransomware attack.

The ongoing evolution of ransomware tactics, as exemplified by Payouts King’s use of QEMU, underscores the relentless arms race between cybercriminals and security professionals. Organizations must continuously adapt their defenses, embracing advanced detection capabilities and proactive security postures, to effectively counter these increasingly stealthy and destructive threats. The era of hidden virtual machines in cyberattacks demands a deeper, more pervasive level of security visibility and vigilance.