Payouts King ransomware uses a QEMU emulator as a reverse SSH backdoor to use hidden virtual machines on compromised systems and bypass endpoint security.
QEMU is an open source CPU emulator and virtualization tool that allows users to run operating systems on a host computer as virtual machines (VMs).
Since host security solutions cannot scan inside a VM, attackers can use them to extract payloads, store malicious files, and create remote access tunnels via SSH.
For these reasons, QEMU has been victimized in previous operations from many threat actors, including the 3AM ransomware group, LoudMiner cryptomining, and the ‘CRON#TRAP’ phishing scam.
Researchers at the cybersecurity company Sophos documented two campaigns where attackers used QEMU as part of their arsenal and collected domain credentials.
One campaign Sophos tracked as STAC4713 was first spotted in November 2025 and is linked to Payouts King ransomware activity.
Another, tracked as STAC3725, was spotted in February this year and exploits the CitrixBleed 2 vulnerability (CVE-2025-5777) in NetScaler ADC and Gateway instances.
It uses Alpine Linux VMs
Researchers note that the threat actors behind the STAC4713 campaign are associated with the GOLD ENCOUNTER threat group, which is known to target hypervisors and encryptors of VMware and ESXi environments.
According to Sophos, a malicious actor creates a scheduled task called ‘TPMProfiler’ to launch a QEMU VM disguised as SYSTEM.
They use hidden disk files such as databases and DLL files, and set up port forwarding to provide private access to the infected host through a reverse SSH tunnel.
The VM runs Alpine Linux version 3.22.0 which includes attack tools such as AdaptixC2, Chisel, BusyBox, and Rclone.
Sophos notes that initial access was achieved through SonicWall VPNs, while exploiting the SolarWinds Web Help Desk vulnerability CVE-2025-26399 has been seen in recent attacks.
In the post-infection phase, the threat actors used VSS (vssuirun.exe) to create a shadow copy, and then used the print command over SMB to copy NTDS.dit, SAM, and SYSTEM hives to directories.
The newly observed events affected by the threat actor depend on other initial vectors. Researchers say that in an attack in February, GOLD ENCOUNTER used an exposed Cisco SSL VPN, and in March they posed as IT workers and tricked Microsoft Teams workers into downloading and installing QuickAssist.
“In both cases, the threat actors used the official ADNotificationManager.exe binary to sideload the Havoc C2 payload (vcruntime140_1.dll) and then used Rclone to extract data from a remote SFTP location” – Sophos
According to a Zscaler report this week, Payouts King is likely tied to BlackBasta collaborators, based on its use of similar initial access methods such as spam bombing, Microsoft Teams phishing, and Quick Assist abuse.
The strain uses sophisticated obfuscation and anti-analysis methods, establishes persistence through scheduled operations, and bypasses security tools using low-level system calls.
Payouts King’s encryption system uses AES-256 (CTR) with RSA-4096 for temporary encryption of large files. Downloaded ransom notes point victims to leaky sites on the dark web.
Source: BleepingComputer
The second campaign spotted by Sophos (STAC3725), has been active since February and uses the CitrixBleed 2 vulnerability to gain initial access to target locations.
After compromising the NetScaler devices, the attackers extract a ZIP archive containing a malicious executable that installs a service called ‘AppMgmt,’ creates a new local user (CtxAppVCOMService), and persistently installs the ScreenConnect client.
The ScreenConnect client connects to the remote server and establishes a session with system privileges, then downloads and extracts the QEMU package that runs a hidden Alpine Linux VM using a custom disk image.qcow2.
Instead of using a pre-built toolkit, attackers install and bundle their own tools, including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit, inside the VM.
Monitored activity includes authentication harvesting, Kerberos username enumeration, active directory information, and release stage data using FTP servers.
Sophos recommends that organizations look for unauthorized QEMU installations, suspicious scheduled activities running with SYSTEM privileges, unusual SSH port forwarding, and outgoing SSH tunnels on unusual ports.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
