Payouts King ransomware hides payloads inside QEMU VMs to evade endpoint scans

Sophos has documented two active campaigns abusing the open-source QEMU emulator to run hidden Alpine Linux virtual machines on compromised Windows hosts, placing attacker tooling outside the reach of host-based endpoint security. The first cluster, STAC4713, ties to the GOLD ENCOUNTER group and the Payouts King ransomware strain. Operators schedule a SYSTEM-level task called TPMProfiler to boot a QEMU VM from virtual disks disguised as DLLs and databases, then use port forwarding to expose a reverse SSH tunnel carrying AdaptixC2, Chisel, BusyBox, and Rclone. Initial access has come from exposed SonicWall VPNs and exploitation of SolarWinds Web Help Desk CVE-2025-26399, with NTDS.dit, SAM, and SYSTEM hives siphoned via VSS shadow copies and SMB print redirection.

Payouts King itself shows strong overlap with former BlackBasta affiliates, reusing spam bombing, Teams phishing, and Quick Assist social engineering for entry, and sideloading Havoc C2 through the legitimate ADNotificationManager.exe. The encryptor pairs AES-256-CTR with RSA-4096 and applies intermittent encryption to large files, while killing security agents through low-level syscalls and persisting through scheduled tasks. The second campaign, STAC3725, rides CitrixBleed 2 (CVE-2025-5777) into NetScaler appliances, drops a ScreenConnect client as persistence, then hand-compiles Impacket, KrbRelayx, BloodHound.py, NetExec, Kerbrute, and Metasploit inside the VM for Active Directory attacks.

The common thread is that virtualization becomes an evasion surface: the host EDR sees only a signed QEMU process while credential theft, C2, and staging happen inside an opaque guest. Detection hinges on hunting for unauthorized QEMU binaries, SYSTEM-owned scheduled tasks, and outbound SSH tunnels on non-standard ports rather than on signatures of the payloads themselves.