CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Payouts King ransomware leverages QEMU-based hidden VMs for covert operations and persistence

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

The Payouts King ransomware operation has integrated the QEMU emulator to deploy hidden Alpine Linux virtual machines (VMs) on compromised hosts, enabling attackers to bypass endpoint security controls and execute malicious activities without detection. Using reverse SSH tunnels and scheduled tasks, threat actors associated with the GOLD ENCOUNTER group operate these VMs to harvest credentials, perform Active Directory reconnaissance, and stage data for exfiltration. Initial access vectors include exploitation of SonicWall VPNs, CitrixBleed 2 (CVE-2025-5777), Cisco SSL VPNs, and social engineering via Microsoft Teams phishing. The campaign employs multi-stage encryption, toolchain customization, and anti-analysis techniques to maintain persistence and evade detection.

Timeline

  1. 17.04.2026 22:10 1 articles · 1h ago

    QEMU-based hidden VMs deployed by Payouts King ransomware to bypass security controls

    Threat actors associated with the Payouts King ransomware operation have deployed hidden QEMU-based Alpine Linux VMs on compromised hosts to execute malicious payloads, harvest credentials, and conduct reconnaissance without detection. The first observed campaign (STAC4713) since November 2025 uses scheduled tasks and reverse SSH tunnels, while a second campaign (STAC3725) since February 2026 exploits CitrixBleed 2 to deliver QEMU via ScreenConnect before manual tool installation. Both campaigns demonstrate multi-vector initial access and sophisticated evasion techniques targeting enterprise environments.

    Show sources
    Open in new tab

Information Snippets

  • Payouts King ransomware uses QEMU to run hidden Alpine Linux 3.22.0 VMs on compromised systems, facilitating covert operations such as credential harvesting, lateral movement, and data staging.

    First reported: 17.04.2026 22:10
    1 source, 1 article
    Show sources

  • Threat actors associated with GOLD ENCOUNTER created a scheduled task named 'TPMProfiler' to launch QEMU VMs with SYSTEM privileges, disguising virtual disk files as databases and DLLs.

    First reported: 17.04.2026 22:10
    1 source, 1 article
    Show sources

  • Initial access vectors include exploitation of SonicWall VPNs, CitrixBleed 2 (CVE-2025-5777) in NetScaler ADC/Gateway, exposed Cisco SSL VPNs, and social engineering via Microsoft Teams phishing to distribute QuickAssist.

    First reported: 17.04.2026 22:10
    1 source, 1 article
    Show sources

  • Post-infection activities involve VSS shadow copy creation, SMB print command abuse to copy NTDS.dit, SAM, and SYSTEM hives, and use of tools such as AdaptixC2, Chisel, BusyBox, Rclone, Impacket, KrbRelayx, and BloodHound.py.

    First reported: 17.04.2026 22:10
    1 source, 1 article
    Show sources

  • The ransomware employs AES-256 (CTR) with RSA-4096 for encryption, intermittent encryption for larger files, and drops ransom notes directing victims to dark web leak sites.

    First reported: 17.04.2026 22:10
    1 source, 1 article
    Show sources

  • A second campaign, STAC3725, exploits CitrixBleed 2 to deploy a malicious 'AppMgmt' service, create a local admin user (CtxAppVCOMService), and install ScreenConnect for persistence before deploying QEMU-based VMs for further operations.

    First reported: 17.04.2026 22:10
    1 source, 1 article
    Show sources