Payouts King Ransomware Abuses QEMU VMs to Disappear Inside Your Network

Threat actors deploying the Payouts King ransomware have adopted an old technique with a new edge: hiding inside QEMU virtual machines to make their entire operation invisible to endpoint security running on the host. Sophos documented the campaigns in detail this week, and the approach is elegant from an attacker's perspective — if your EDR can't see inside the VM, it can't scan the disk, intercept the process, or flag the network tunnel.

What Happened

Payouts King is a ransomware operation linked by Zscaler to former BlackBasta affiliates, based on shared initial access tradecraft: Microsoft Teams phishing, Quick Assist abuse, and spam bombing. The group is tracked by Sophos as GOLD ENCOUNTER and has been observed since November 2025.

In the latest evolution, the attackers deploy QEMU on the compromised host and run a minimal Alpine Linux VM (version 3.22.0) inside it. The VM is launched as a hidden scheduled task named "TPMProfiler" running as SYSTEM. The virtual disk is disguised as a database or DLL file, and the threat actors set up reverse SSH tunnels over port forwarding to maintain covert access to the infected machine.

Once inside the VM, the attacker toolkit is installed manually — including AdaptixC2, Chisel, BusyBox, Rclone, Impacket, KrbRelayx, BloodHound.py, and Metasploit. The VM's network stack is used for C2, making the traffic look like legitimate inter-VM communication rather than command-and-control.

Why It Matters to Defenders

QEMU is open-source, freely available, and entirely legitimate. It is not malware. Your security stack has no inherent reason to flag it — and critically, EDR agents running on the host operating system cannot inspect the contents of a QEMU VM's memory or disk unless they have agent-side virt-aware instrumentation, which most environments do not.

ShadowServer tracks over 7,500 Apache ActiveMQ servers exposed online. Payouts King has also been observed exploiting CitrixBleed 2 (CVE-2025-5777) on NetScaler devices as an initial access vector, and exposed SonicWall VPNs and SolarWinds Web Help Desk (CVE-2025-26399) in earlier campaigns.

The implications for defenders are specific: this technique does not exploit a vulnerability — it abuses a legitimate feature. You cannot patch your way out of it without controlling what software is allowed to run on servers and endpoints.

What to Do

Audit for QEMU installations on Windows servers and endpoints — particularly where they are not expected or justified by a legitimate virtualization workload. Check for scheduled tasks running as SYSTEM with names like TPMProfiler, or any task launching qemu-system-x86_64 or similar binaries.

Review SSH port forwarding and outbound tunnels on non-standard ports. The reverse SSH tunnel technique used here creates an outbound connection from the victim to the attacker — most perimeter controls do not flag outbound SSH as suspicious, especially on port 22.

For the ActiveMQ exposure: if you run ActiveMQ Classic or Artemis and have not patched CVE-2026-34197 (the 13-year-old RCE now in CISA's KEV), treat that as Tier 1. For NetScaler: CVE-2025-5777 (CitrixBleed 2) is actively targeted. Apply patches.

Finally, if you are running EDR that supports behavioral detection rules, look for child processes of qemu-system binaries spawning from user-space applications — that is an unusual execution chain for any legitimate workload.

What It Signals

This is not new technique — the LoudMiner cryptominer used VMs for evasion in 2019, and multiple ransomware groups have experimented with virtualization layers. What is notable is the operational maturity: GOLD ENCOUNTER is using QEMU VMs as a standard part of their post-compromise toolkit, with manual compilation of offensive tooling inside the VM and Kerberos-based AD reconnaissance before encryption.

The use of QEMU also signals that attackers are increasingly comfortable living off the land with legitimate open-source virtualization tools, rather than bringing custom malware that will be detected. The question for defenders is whether your detection stack has visibility into what runs inside a guest VM — and in most environments, the honest answer is no.

References

Sophos research: https://www.sophos.com/en-us/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery

BleepingComputer original: https://www.bleepingcomputer.com/news/security/payouts-king-ransomware-uses-qemu-vms-to-bypass-endpoint-security/

Zscaler on Payouts King: https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne