Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Payouts King ransomware QEMU reverse SSH backdoor activity

Malware Activity
First reported
Last updated
Happening score
H score 48
1 unique sources, 1 articles

Summary

Hide ▲

Payouts King ransomware is using QEMU hidden virtual machines and a reverse SSH backdoor to keep covert access on compromised hosts and evade endpoint security. The malware launches a hidden VM as SYSTEM through a scheduled task named TPMProfiler and uses port forwarding to create stealthy tunnels. Inside the VM, operators run Alpine Linux 3.22.0 with tools such as AdaptixC2, Chisel, BusyBox, and Rclone. The activity has been observed in ongoing intrusions since November 2025 and is being used to support credential theft and staging for exfiltration.

Related Happenings

EtherRAT malicious MSI loader with Ethereum-based C2

Malware Activity
First: 30.04.2026 14:30 Last: 30.04.2026 14:30 Sources 1

About this happening: The **EtherRAT** malware is being delivered through **malicious MSI installers** and gives attackers **persistent Windows access**, increasing the risk of covert control inside en...

Open Happening

BPFDoor Linux backdoor with HTTPS-hidden trigger packets

Malware Activity
First: 26.03.2026 19:40 Last: 26.03.2026 19:40 Sources 1

About this happening: A newly disclosed **BPFDoor** variant is hiding trigger packets inside **HTTPS traffic** and using **ICMP** between infected hosts, making the **Linux** backdoor harder to detect...

Open Happening

EtherRAT Node.js backdoor with Ethereum smart-contract C2

Malware Activity
First: 26.03.2026 17:00 Last: 26.03.2026 17:00 Sources 1

About this happening: The **EtherRAT** malware activity centers on a **Node.js-based backdoor** that uses **Ethereum smart contracts** to hide and rotate C2 infrastructure. In a **React2Shell** attack,...

Open Happening

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

Open Happening

GhostLoader RAT-stealer via @openclaw-ai/openclawai

Malware Activity
First: 09.03.2026 20:31 Last: 09.03.2026 20:31 Sources 1

About this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...

Open Happening

Timeline

  1. 17.04.2026 22:10 2 articles · 1mo ago

    Payouts King ransomware QEMU reverse SSH backdoor activity

    Initial Disclosure

    The first phase established a hidden **QEMU** virtual machine and a covert **SSH tunnel** on the compromised host. That setup provided stealthy execution and remote access before credential theft and exfiltration staging began.

    Show sources
    Open in new tab