Evading Endpoint Security: How Payouts King Ransomware Utilizes QEMU VMs

The Payouts King ransomware has adopted a clever tactic by utilizing the QEMU emulator as a reverse SSH backdoor to operate hidden virtual machines on compromised systems, effectively circumventing endpoint security measures.

QEMU, an open-source CPU emulator and system virtualization tool, enables users to run operating systems on a host computer as virtual machines (VMs).

Due to the inability of security solutions on the host to scan inside the VMs, cyber attackers leverage this loophole to execute payloads, store malicious files, and create covert remote access tunnels over SSH.

As a result, QEMU has been exploited in previous operations by various threat actors, including the 3AM ransomware group, LoudMiner cryptomining, and ‘CRON#TRAP’ phishing.

Researchers at cybersecurity firm Sophos have documented two campaigns where attackers have incorporated QEMU into their tactics, primarily to gather domain credentials.

One of these campaigns, known as STAC4713 and linked to the Payouts King ransomware operation, was first identified in November 2025.

The second campaign, labeled as STAC3725, has been active since February this year and exploits the CitrixBleed 2 (CVE‑2025‑5777) vulnerability in NetScaler ADC and Gateway instances.

Execution of Alpine Linux VMs

Sophos researchers have noted that the threat actors behind the STAC4713 campaign are associated with the GOLD ENCOUNTER threat group, known for targeting hypervisors and encryptors in VMware and ESXi environments.

According to Sophos, the malicious actor creates a scheduled task named ‘TPMProfiler’ to initiate a hidden QEMU VM as SYSTEM.

They disguise virtual disk files as databases and DLL files, and establish port forwarding to enable clandestine access to the infected host via a reverse SSH tunnel.

The VM operates on Alpine Linux version 3.22.0, equipped with attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone.

Initial access in these attacks was gained through exposed SonicWall VPNs, with more recent incidents exploiting the SolarWinds Web Help Desk vulnerability CVE-2025-26399.

In the post-infection phase, the threat actors utilized VSS (vssuirun.exe) to create a shadow copy and employed the print command over SMB to copy NTDS.dit, SAM, and SYSTEM hives to temporary directories.

Recent attacks by the threat actor utilized different initial access vectors, including an exposed Cisco SSL VPN and impersonation tactics over Microsoft Teams to deceive employees into downloading and installing QuickAssist.

According to a recent Zscaler report, Payouts King is likely connected to former BlackBasta affiliates, evidenced by their use of similar initial access methods like spam campaigns, Microsoft Teams phishing, and Quick Assist misuse.

The ransomware strain employs robust obfuscation and anti-analysis techniques, establishes persistence through scheduled tasks, and disables security tools using low-level system calls.

Payouts King’s encryption scheme employs AES-256 (CTR) with RSA-4096, with intermittent encryption for larger files. Ransom notes left by the attackers direct victims to leak sites on the dark web.

The second campaign observed by Sophos (STAC3725) has been active since February and leverages the CitrixBleed 2 vulnerability to gain initial access to target environments.

After compromising NetScaler devices, the attackers deploy a ZIP archive containing a malicious executable that installs a service named ‘AppMgmt,’ creates a new local admin user (CtxAppVCOMService), and installs a ScreenConnect client for persistence.

The ScreenConnect client establishes a connection to a remote relay server, initiating a session with system privileges. It then deploys and extracts a QEMU package to run a hidden Alpine Linux VM using a custom.qcow2 disk image.

Instead of relying on pre-built toolkits, the attackers manually install and compile their tools inside the VM, including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit.

Observed activities include credential harvesting, Kerberos username enumeration, Active Directory reconnaissance, and staging data for exfiltration through FTP servers.

Sophos recommends that organizations remain vigilant for unauthorized QEMU installations, suspicious scheduled tasks running with SYSTEM privileges, unusual SSH port forwarding, and outbound SSH tunnels on non-standard ports.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), witness how autonomous, context-rich validation identifies exploitable vulnerabilities, verifies control effectiveness, and completes the remediation cycle.

Claim Your Spot