Payouts King Ransomware Abuses QEMU VMs to Evade Endpoint Security — What Practitioners Need to Know

Payouts King ransomware operators are abusing QEMU virtual machines as a covert staging environment on compromised Windows hosts — effectively using the emulator to run a hidden Linux attack platform that sits beneath endpoint security tools. Security researchers at Sophos documented the technique in two active campaigns this week, and the implications for defenders are significant.

What Happened

Sophos tracks two separate campaigns deploying this tactic. The first, designated STAC4713, is tied to the GOLD ENCOUNTER threat group and the Payouts King ransomware operation. Attackers deploy a scheduled task named "TPMProfiler" that launches a hidden QEMU VM as SYSTEM, using virtual disk files disguised as database and DLL artifacts. The VM runs Alpine Linux 3.22.0 loaded with attacker tooling including AdaptixC2, Chisel, BusyBox, and Rclone. Port forwarding over a reverse SSH tunnel provides covert command and control.

Initial access in these campaigns came through exposed SonicWall VPNs and exploitation of the SolarWadows Web Help Desk vulnerability CVE-2025-26399. In more recent activity, GOLD ENCOUNTER pivoted to exposed Cisco SSL VPNs and social engineering via Microsoft Teams, tricking employees into installing QuickAssist.

The second campaign, STAC3725, exploits CitrixBleed 2 (CVE-2025-5777) on NetScaler ADC/Gateway devices. After compromising the appliance, attackers deploy a ZIP archive that installs a service, creates a local admin account, and drops a ScreenConnect client for persistence. From there, QEMU is manually compiled inside the VM along with a toolkit including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit — a fully operational attack environment running undetected inside the victim network.

Why It Matters

This technique represents a structural bypass of endpoint detection. Modern endpoint protection platforms inspect processes, file writes, and network activity on the host OS — but they cannot see inside a QEMU emulator running its own kernel. The malware doesn't need to inject into protected processes or evade behavioral heuristics when it can simply operate in a separate administrative VM that the host agent cannot instrument.

The implications extend beyond initial ransomware staging. Running a full Linux VM means attackers can use native Linux offensive tools without any Windows-level artifacts. Kerberos relay attacks, credential dumping, AD reconnaissance — all execute from the VM with no equivalent process tree visible in Windows task manager or Event Tracing on the host.

For defenders, the traditional atomic indicators — new services, unexpected binaries, suspicious scheduled tasks — may be absent or appear legitimate on the host. The QEMU binary itself may masquerade with a benign name, and the VM's network traffic is tunneled over SSH, which is typically whitelisted in enterprise environments.

What Defenders Should Do

Audit QEMU installations. Legitimate use of QEMU on Windows servers is uncommon outside of specific virtualization or build-automation workflows. Any unexpected QEMU presence warrants investigation.

Get-Process | Where-Object { $_.Path -like "*qemu*" }

Review scheduled tasks running as SYSTEM. Tasks like "TPMProfiler" that you didn't create are a high-fidelity indicator.

Monitor for outbound SSH on non-standard ports. QEMU reverse tunnels typically use port forwarding on high or non-standard ports rather than port 22. Correlate SSH outbound connections with process ownership on the host.

Hunt for qcow2 disk images outside expected directories. The malicious VM disk files are sometimes named to resemble database files — look for files with the .qcow2 extension or files matching *qcow* patterns in temp and app data directories.

Validate CitrixBleed 2 patching. CVE-2025-5777 is actively exploited in STAC3725. If your NetScaler ADC or Gateway instances haven't been patched, treat them as compromised and rotate credentials for accounts with access to those devices.

What It Signals

The commoditization of QEMU as an evasion layer reflects a broader shift: financially motivated threat actors are borrowing techniques from advanced persistent threat toolkits to close the gap between initial access and ransomware deployment. The barrier to operationalizing this technique is low — QEMU is open-source and pre-compiled binaries are widely available.

Organizations that rely on endpoint detection alone for defense-in-depth should treat this as evidence that EDR coverage gaps exist at the hypervisor layer. Behavioral analytics, network traffic analysis, and regular AD security assessments remain necessary complements to endpoint protection.