The cybersecurity landscape is witnessing a sophisticated evolution in ransomware delivery and persistence mechanisms, as evidenced by the emergence of the Payouts King ransomware group. Recent investigative reports from cybersecurity firm Sophos have highlighted a trend where threat actors are repurposing legitimate open-source virtualization tools, specifically the QEMU emulator, to create hidden environments within compromised systems. By deploying lightweight virtual machines (VMs) on host computers, these adversaries effectively bypass traditional endpoint security solutions, which often lack the visibility required to inspect the internal operations of a guest operating system.
QEMU, an open-source CPU emulator and system virtualization tool, is traditionally used by developers and system administrators to run multiple operating systems on a single host. However, its versatility and ability to run without a traditional graphical user interface make it an ideal tool for cybercriminals. In the hands of the Payouts King operators, QEMU serves as a reverse SSH backdoor, allowing for the execution of malicious payloads and the creation of covert remote access tunnels that remain shielded from the host’s antivirus and Endpoint Detection and Response (EDR) platforms.
The Strategic Shift to Virtualized Obfuscation
The abuse of virtualization is not an entirely new phenomenon, but its adoption by mainstream ransomware affiliates marks a significant shift in tactical sophistication. By running a malicious payload inside an Alpine Linux VM, the Payouts King group creates a "black box" scenario for security administrators. Because the security software installed on the Windows host is designed to monitor host-level processes and file changes, it remains largely blind to the activities occurring within the QEMU-emulated environment.
This technique follows a lineage of similar exploits. Previously, the 3AM ransomware group utilized QEMU to facilitate lateral movement, while the LoudMiner campaign leveraged VMs to hide cryptomining operations on both Windows and macOS. The "CRON#TRAP" phishing campaign also utilized backdoored Linux VMs to establish persistence. The Payouts King operation, however, integrates these virtualization tactics into a broader, highly aggressive ransomware-as-a-service (RaaS) model that targets high-value enterprise infrastructure.
Analysis of Campaign STAC4713: The Payouts King Connection
Sophos researchers have categorized recent activity into two distinct campaigns, the first of which is tracked as STAC4713. This campaign, which surfaced in late 2024 and continued into 2025, has been definitively linked to the Payouts King ransomware operation and the threat group known as GOLD ENCOUNTER. This group is recognized for its specialized focus on targeting hypervisors, including VMware and ESXi environments, suggesting a high level of technical proficiency in virtualization technology.
In the STAC4713 campaign, initial access was frequently gained through exposed SonicWall VPNs. More recent iterations of the attack have seen the exploitation of a critical vulnerability in SolarWinds Web Help Desk, identified as CVE-2025-26399. Once the perimeter is breached, the attackers establish a foothold and begin the process of setting up their virtualized backdoor.
To ensure the VM remains hidden and persistent, the threat actors create a Windows scheduled task named "TPMProfiler." This task is configured to run with SYSTEM privileges, launching the QEMU emulator in the background. To further deceive forensic investigators, the virtual disk files—which contain the entire malicious operating system—are disguised with innocuous names, appearing as database files or standard DLLs.
The VM itself typically runs Alpine Linux version 3.22.0. This choice is strategic; Alpine is a security-oriented, lightweight Linux distribution that requires minimal resources, making it less likely to cause performance spikes that might alert a system administrator. Inside this VM, the attackers deploy a comprehensive suite of tools, including:
- AdaptixC2: A command-and-control framework used for post-exploitation.
- Chisel: A fast TCP/UDP tunnel, transported over HTTP, used for network pivoting.
- BusyBox: A software suite that provides several Unix utilities in a single executable file.
- Rclone: An open-source program used to manage and exfiltrate data to cloud storage.
Campaign STAC3725: Exploiting Citrix and ScreenConnect
A second, parallel campaign tracked as STAC3725 was observed in early 2025. This campaign targets NetScaler ADC and Gateway instances by exploiting the CitrixBleed 2 vulnerability (CVE-2025-5777). After gaining initial access to the NetScaler device, the attackers deploy a ZIP archive that installs a service named "AppMgmt" and creates a local administrative user under the guise of "CtxAppVCOMService."
For persistence, this campaign relies on the installation of a ScreenConnect client. ScreenConnect is a legitimate remote support tool, and its presence is often overlooked by security teams who may assume it is being used by internal IT staff. The attackers use this client to establish a session with system privileges, which they then use to drop the QEMU package.
Unlike the STAC4713 campaign, which uses a pre-configured toolkit, the actors in STAC3725 have been observed manually compiling and installing their tools within the virtualized environment. This includes a "Swiss Army knife" of penetration testing tools such as Impacket, KrbRelayx, BloodHound.py, and Metasploit. This manual approach suggests a tailored attack strategy, where tools are selected based on the specific architecture and defenses of the target network.
Linkages to Former BlackBasta Affiliates
Industry analysis from Zscaler suggests that the Payouts King operation is not a completely new entity but is likely composed of former affiliates of the BlackBasta ransomware group. This assessment is based on a significant overlap in Tactics, Techniques, and Procedures (TTPs). Both groups have demonstrated a preference for social engineering and "spam bombing" to overwhelm users, as well as posing as IT support staff on Microsoft Teams to trick employees into installing remote access software like Quick Assist.
The Payouts King ransomware itself is a formidable piece of malware. It utilizes heavy obfuscation to thwart static analysis and employs low-level system calls to terminate security processes directly, bypassing the standard Windows API. The encryption routine is equally robust, using AES-256 in Counter (CTR) mode combined with RSA-4096. To maximize efficiency and minimize the time required to lock a system, the ransomware uses "intermittent encryption," targeting only specific portions of larger files rather than the entire data set.
Timeline of Recent Payouts King Activity
- November 2024: Initial observations of the STAC4713 campaign involving GOLD ENCOUNTER and early versions of the Payouts King encryptor.
- January 2025: Emergence of attacks exploiting exposed SonicWall VPNs to deliver QEMU-based backdoors.
- February 2025: Detection of campaign STAC3725, characterized by the exploitation of CitrixBleed 2 and the use of ScreenConnect for persistence.
- March 2025: Threat actors observed using Microsoft Teams and Quick Assist social engineering tactics to breach corporate networks.
- April 2025: Increased reports of SolarWinds Web Help Desk exploitation (CVE-2025-26399) as a primary entry vector for Payouts King.
Broader Implications for Enterprise Security
The use of QEMU by Payouts King highlights a critical gap in modern defensive strategies. As EDR and XDR (Extended Detection and Response) solutions become more adept at identifying malicious processes on the host operating system, threat actors are moving their operations to layers that these tools cannot easily reach. This "Living-off-the-VM" strategy represents a new frontier in the cat-and-mouse game between attackers and defenders.
For incident responders, the presence of QEMU or other virtualization software should now be treated as a high-priority alert unless explicitly authorized for business use. The difficulty lies in the fact that many legitimate developers and IT professionals use these tools daily, making it easy for malicious instances to hide in plain sight.
Recommendations for Detection and Mitigation
Security professionals are advised to adopt a multi-layered approach to counter the threat posed by Payouts King and similar groups:
- Monitor for Unauthorized Virtualization: Organizations should maintain an inventory of authorized virtualization software. Any instance of QEMU, VirtualBox, or VMware found on unauthorized workstations or servers should be investigated immediately.
- Audit Scheduled Tasks: Regularly scan for scheduled tasks that run with SYSTEM privileges, particularly those with ambiguous names or those that execute binaries from temporary directories.
- Network Traffic Analysis: Look for unusual outbound SSH traffic, especially on non-standard ports. Reverse SSH tunnels are a hallmark of the QEMU-based backdoor strategy.
- Endpoint Visibility: While EDR may not see inside the VM, it can see the QEMU process itself. Monitor for QEMU processes that are making network connections or accessing sensitive files like the NTDS.dit or SAM hives.
- Vulnerability Management: Prioritize the patching of external-facing assets, including VPNs (SonicWall, Cisco) and gateway appliances (Citrix NetScaler). The exploitation of CVE-2025-5777 and CVE-2025-26399 remains a primary driver for these infections.
As the Payouts King ransomware continues to refine its methods, the integration of virtualization as a cloaking device serves as a reminder that the boundaries of endpoint security are constantly being tested. Organizations must look beyond the surface of the host operating system to identify the hidden environments where modern threats now reside.
