Listen to this Post

Introduction
A newly observed ransomware-linked operation known as Payouts King is taking endpoint evasion to a new level by abusing QEMU virtualization as a covert execution layer. Instead of relying solely on traditional malware payloads, attackers are embedding full virtual machines inside compromised environments, allowing them to operate almost completely outside the visibility of security tools. This approach reflects a growing trend in cybercrime where legitimate system tools are repurposed to create stealth infrastructure that blends into enterprise environments.
Summary of the Original
The Payouts King ransomware operation has been observed using QEMU, an open-source CPU emulator and virtualization tool, as a reverse SSH backdoor to run hidden virtual machines on compromised systems.
This technique allows attackers to bypass endpoint security solutions that cannot inspect activity inside virtual machines.
Within these isolated environments, attackers can execute malicious tools, store payloads, and maintain persistent remote access.
QEMU abuse is not new and has previously been linked to threats such as 3AM ransomware, LoudMiner cryptomining campaigns, and CRONTRAP phishing operations.
Security researchers from Sophos identified two major intrusion clusters involving this tactic, tracked as STAC4713 and STAC3725.
STAC4713 is associated with Payouts King and first appeared in November 2025, while STAC3725 emerged in February 2026.
The STAC3725 campaign exploited CitrixBleed 2 (CVE-2025-5777) affecting NetScaler ADC and Gateway devices.
In both cases, attackers deployed QEMU to run Alpine Linux virtual machines embedded within compromised systems.
These VMs contained offensive tools such as AdaptixC2, Chisel, BusyBox, and Rclone.
Attackers used scheduled tasks such as “TPMProfiler” to launch QEMU instances with SYSTEM privileges.
Virtual disk images were disguised as legitimate database or DLL files to avoid detection.
The attackers configured port forwarding and reverse SSH tunnels to maintain covert access to infected hosts.
Initial access methods included exposed SonicWall VPNs, Cisco SSL VPN exploitation, and vulnerability abuse in enterprise platforms.
More recent attacks also involved social engineering via Microsoft Teams and Quick Assist impersonation of IT staff.
Once inside, attackers used tools like VSS to create shadow copies and extract credentials from NTDS.dit, SAM, and SYSTEM files.
They also leveraged SMB-based techniques to move sensitive data into temporary directories for staging.
In some cases, legitimate binaries such as ADNotificationManager.exe were used to sideload malicious DLL payloads.
The attackers then deployed Havoc C2 frameworks and exfiltrated data using Rclone to remote SFTP servers.
Zscaler researchers suggest Payouts King may be linked to former BlackBasta affiliates due to similar tactics.
The ransomware uses AES-256 (CTR) and RSA-4096 encryption with intermittent file encryption strategies.
Ransom notes direct victims to leak sites hosted on the dark web.
STAC3725 also demonstrated advanced persistence techniques by installing ScreenConnect clients and creating local admin accounts.
Inside the QEMU VM, attackers manually installed reconnaissance tools like BloodHound, Impacket, and Kerberos utilities.
Their activities focused heavily on Active Directory enumeration, credential harvesting, and lateral movement preparation.
Sophos recommends monitoring for unauthorized QEMU usage, suspicious SYSTEM-level scheduled tasks, and unusual SSH tunneling behavior.
Outbound traffic on non-standard ports and hidden virtual machines are key indicators of compromise.
What Undercode Say:
The use of QEMU as a stealth execution layer marks a significant shift in ransomware tradecraft.
Instead of relying on simple payload execution, attackers are effectively running an entire hidden operating system inside victim machines.
This strategy makes traditional endpoint detection far less effective because the malicious activity is encapsulated within virtualization boundaries.
Security tools that inspect host-level processes fail to see inside the guest VM environment.
This creates a blind spot that advanced threat actors are actively exploiting.
The STAC4713 and STAC3725 clusters show that ransomware groups are converging on virtualization abuse as a standard post-exploitation method.
The inclusion of Alpine Linux suggests a lightweight, modular approach optimized for stealth and portability.
By embedding tools like AdaptixC2 and Chisel, attackers gain both command-and-control and tunneling capabilities in one environment.
The use of reverse SSH tunnels further complicates detection by blending with legitimate encrypted traffic.
Scheduled tasks such as TPMProfiler indicate deliberate persistence engineering rather than opportunistic infection.
Attackers are clearly aiming for long-term access instead of quick encryption-only attacks.
The integration of ScreenConnect and legitimate administrative binaries shows strong living-off-the-land tactics.
This reduces the need for custom malware that might trigger antivirus signatures.
Credential dumping via NTDS extraction confirms a strong focus on full domain compromise.
The use of VSS shadow copies highlights an understanding of Windows recovery mechanisms as a data source.
The exploitation of CitrixBleed 2 shows continued reliance on perimeter device vulnerabilities.
At the same time, social engineering through Teams and Quick Assist reflects hybrid attack strategies.
The combination of technical exploitation and human deception increases success rates significantly.
Zscaler’s attribution to former BlackBasta affiliates suggests knowledge transfer between ransomware groups.
AES-256 and RSA-4096 encryption confirm enterprise-grade cryptographic implementation.
Intermittent encryption of large files reduces processing time while maintaining impact.
Dark web leak sites remain the primary extortion channel, reinforcing double extortion models.
The presence of multiple access vectors shows operational flexibility across environments.
Exposed VPNs remain a recurring entry point, highlighting persistent enterprise hygiene issues.
The abuse of QEMU represents a broader trend of attackers weaponizing legitimate virtualization infrastructure.
Detection strategies must now include behavioral monitoring rather than signature-based inspection alone.
Security teams need visibility into hypervisor-level activity to close this blind spot.
Without such controls, attackers can effectively “hide an entire computer inside a computer.”
This evolution signals a maturing ransomware ecosystem focused on stealth, persistence, and operational resilience.
Fact Checker Results
✔ QEMU is a legitimate open-source virtualization tool commonly abused for stealth execution
✔ Reports from security researchers confirm ransomware groups are using VM-based hiding techniques
✔ CitrixBleed 2 and VPN exploitation are known real-world enterprise attack vectors
Prediction
Ransomware groups will increasingly adopt full virtualization-based payload delivery to bypass endpoint detection systems.
Future attacks will likely combine nested virtualization, encrypted tunnels, and legitimate remote management tools to achieve near-invisible persistence.
Security vendors will respond by shifting toward hypervisor-aware monitoring and behavioral anomaly detection at the kernel and network layers.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




