A New Twist on an Old Evasion Technique
The threat actors behind the Payouts King ransomware have adopted a sophisticated evasion strategy: using the open-source QEMU CPU emulator and virtualization tool to run hidden virtual machines (VMs) directly on compromised systems. Because endpoint security solutions installed on the host cannot inspect traffic or files inside a running VM, attackers are free to store malicious payloads, execute tools, and establish covert remote-access channels via reverse SSH tunnels — all beyond the reach of traditional defenses.
QEMU is a legitimate, widely used utility that allows users to emulate entire operating systems within a host environment. Its abuse for malicious purposes is not new; prior campaigns involving the 3AM ransomware group, the LoudMiner cryptomining operation, and the CRON#TRAP phishing campaign all exploited QEMU in similar ways. What makes the current activity notable is both the ransomware context and the operational sophistication observed by researchers.
Sophos Uncovers Two Distinct Campaigns
Cybersecurity firm Sophos documented two separate attack campaigns that each employ QEMU as a core component of their toolkit. The first, tracked internally as STAC4713, was initially detected in November 2025 and has been linked directly to the Payouts King ransomware operation. The second, designated STAC3725, became active in February 2026 and centers on exploitation of a critical vulnerability in Citrix networking products.
STAC4713: GOLD ENCOUNTER and the Payouts King Connection
Sophos attributes the STAC4713 campaign to a threat cluster it calls GOLD ENCOUNTER, a group with a history of targeting hypervisors and encryptors built for VMware and ESXi environments. The group's methodology inside compromised networks is methodical and layered.
Establishing the Hidden VM
Once inside a victim environment, attackers create a scheduled task named TPMProfiler that launches a QEMU virtual machine with SYSTEM-level privileges while keeping the process hidden from casual inspection. Virtual disk files are disguised as innocuous database and DLL files to avoid raising alarms. Port forwarding is configured to route traffic through a reverse SSH tunnel, giving the attackers persistent, covert access to the infected host.
The VM itself runs Alpine Linux version 3.22.0 and comes pre-loaded with an attacker toolkit that includes AdaptixC2, Chisel, BusyBox, and Rclone.
Initial Access Vectors and Credential Theft
Sophos notes that early incidents in this campaign gained initial access through exposed SonicWall VPN appliances. More recent attacks have involved exploitation of CVE-2025-26399, a vulnerability in the SolarWinds Web Help Desk product. After gaining a foothold, the threat actors used vssuirun.exe (a Volume Shadow Copy utility) to create a shadow copy, then leveraged the print command over SMB to copy NTDS.dit, SAM, and SYSTEM registry hives into temporary directories — a classic credential-harvesting sequence.
The group has also varied its initial access approach across incidents. In one February attack, GOLD ENCOUNTER used an exposed Cisco SSL VPN as the entry point. In a March incident, attackers impersonated IT staff and manipulated employees through Microsoft Teams, tricking them into downloading and installing QuickAssist.
Sophos observed that in both of these cases, the threat actors abused the legitimate binary ADNotificationManager.exe to sideload a Havoc C2 payload housed in a file named vcruntime140_1.dll, and then used Rclone to exfiltrate stolen data to a remote SFTP location.
Links to Former BlackBasta Affiliates
A report published this week by Zscaler suggests that Payouts King is likely connected to former BlackBasta affiliates. The assessment is based on shared initial access techniques, including spam bombing, Microsoft Teams-based phishing, and Quick Assist abuse — all tactics previously associated with the BlackBasta ecosystem.
The ransomware strain itself employs heavy obfuscation and anti-analysis mechanisms, establishes persistence through scheduled tasks, and terminates security tools using low-level system calls. Its encryption scheme combines AES-256 in CTR mode with RSA-4096, applying intermittent encryption to larger files to speed up the process. Victims are directed to leak sites on the dark web via dropped ransom notes.
STAC3725: CitrixBleed 2 Exploitation
The second campaign Sophos analyzed, STAC3725, has been active since February 2026 and gains initial access by exploiting CVE-2025-5777, a vulnerability dubbed CitrixBleed 2, in Citrix NetScaler ADC and Gateway appliances. This flaw allows attackers to compromise NetScaler devices without requiring authentication.
Post-Exploitation Steps
After compromising a NetScaler device, the attackers deploy a ZIP archive containing a malicious executable that performs several actions in sequence:
- Installs a Windows service named AppMgmt
- Creates a new local administrator account named CtxAppVCOMService
- Installs a ScreenConnect remote access client for persistent access
The ScreenConnect client connects back to an attacker-controlled relay server and establishes a session running with system privileges. From there, the attackers drop and extract a QEMU package that spins up a hidden Alpine Linux VM using a custom .qcow2 disk image.
Manual Tool Compilation Inside the VM
Rather than relying on a pre-packaged toolkit, the STAC3725 operators manually install and compile their tools directly inside the virtual machine. The tools observed include Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit. Observed malicious activity encompasses credential harvesting, Kerberos username enumeration, Active Directory reconnaissance, and staging data for exfiltration via FTP servers.
Detection Guidance from Sophos
Sophos researchers recommend that defenders proactively hunt for indicators of this type of abuse within their environments. Specific areas to investigate include:
- Unauthorized QEMU installations on servers or workstations
- Suspicious scheduled tasks running under SYSTEM privileges, particularly those with unusual or disguised names
- Unusual SSH port forwarding rules on internal hosts
- Outbound SSH tunnels traversing non-standard ports
The dual-campaign nature of the activity documented by Sophos underscores a growing trend: ransomware affiliates and sophisticated threat actors are increasingly weaponizing legitimate virtualization software to create blind spots within target environments. As long as endpoint security tools remain unable to inspect VM internals, QEMU-based evasion is likely to remain an attractive option for well-resourced threat groups.
Source: BleepingComputer