The Payouts King ransomware operation is leveraging the QEMU emulator to run hidden virtual machines on compromised systems, creating reverse SSH backdoors that bypass endpoint security protections. Security solutions cannot scan inside these VMs, allowing attackers to execute payloads, store malicious files, and establish covert remote access tunnels. Sophos documented two campaigns, with STAC4713 linked to Payouts King and the GOLD ENCOUNTER threat group, which targets hypervisors and VMware environments.
Attackers create a scheduled task named TPMProfiler to launch a hidden Alpine Linux VM running as SYSTEM, using virtual disk files disguised as databases and DLLs. The VM includes tools such as AdaptixC2, Chisel, BusyBox, and Rclone for post-exploitation activities. Initial access has been achieved through exposed SonicWall VPNs, SolarWinds Web Help Desk vulnerability CVE-2025-26399, and social engineering via Microsoft Teams posing as IT staff.
A second campaign tracked as STAC3725 exploits the CitrixBleed 2 vulnerability to install ScreenConnect persistence and deploy QEMU with Alpine Linux, where attackers manually compile tools including Impacket, KrbRelayx, and BloodHound. Payouts King uses AES-256 with RSA-4096 encryption and intermittent encryption for larger files, with ransom notes directing victims to dark web leak sites. Zscaler reports the strain likely involves former BlackBasta affiliates using similar initial access methods including spam bombing and Quick Assist abuse. Organizations are advised to monitor for unauthorized QEMU installations, suspicious scheduled tasks, and outbound SSH tunnels on non-standard ports.
Read more...