Payouts King Ransomware Uses QEMU VMs to Bypass Endpoint Security

MS

17 Apr 2026 — 1 min read

What Happened

Sophos researchers documented a threat actor deploying QEMU virtual machines on compromised Windows hosts as part of the Payouts King ransomware operation. The attack chain uses QEMU to run a hidden Alpine Linux VM that executes attacker tooling — completely invisible to host-based endpoint security. The campaigns, tracked as STAC4713 and STAC3725, also exploit CitrixBleed 2 (CVE-2025-5777) and SolarWinds Web Help Desk (CVE-2025-26399) for initial access. Payouts King is suspected to have origins in former BlackBasta affiliates.

Why It Matters

This is not theoretical. Running malware inside a VM means your EDR, antivirus, and host logging all blind spot the payload entirely. The VM traffic looks like legitimate QEMU process activity. The exfiltration traffic looks like standard SSH. Traditional controls were not designed to detect tooling running inside an emulated guest OS, and most SIEM playbooks do not account for it. This is a material gap in defensive architecture.

What Defenders Should Do

Audit for QEMU installations on endpoints — particularly on servers and VPN gateways. Check for scheduled tasks running as SYSTEM with names like "TPMProfiler". Review outbound SSH connections from servers, especially on non-standard ports. Monitor for ADNotificationManager.exe being used for DLL sideloading, a technique observed in these campaigns. For NetScaler environments, ensure CVE-2025-5777 is patched. For SonicWall VPNs, verify firmware is current and the management interface is not internet-facing.

What It Signals

The bar for bypassing endpoint security has dropped to commodity tooling. QEMU is open source, well-documented, and the techniques are not new — 3AM ransomware used this before, and LoudMiner before that. The pattern is clear: adversaries will continue abusing virtualization to operate under the radar. Defense-in-depth is not optional here. If your monitoring stack cannot see inside VMs, assume the adversary can use them with impunity.

References

Sophos: QEMU Abused to Evade Detection and Enable Ransomware Delivery

Zscaler: Payouts King Takes Aim at Ransomware Throne

BleepingComputer: Payouts King Ransomware Uses QEMU VMs

CISA: Apache ActiveMQ (Related Context)

Microsoft Confirms LSASS Crashes Are Putting Some Domain Controllers into Reboot Loops

What Happened Microsoft confirmed this week that the April 2026 Windows security update (KB5082063) is causing Local Security Authority Subsystem Service (LSASS) crashes on non-Global Catalog domain controllers running Privileged Access Management (PAM). Affected servers enter restart loops during early startup, before authentication and directory services can come online. The

13-Year-Old Apache ActiveMQ RCE Now Under Active Exploitation — Patch Now

A 13-year-old remote code execution vulnerability in Apache ActiveMQ has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog after threat actors were confirmed actively exploiting it in the wild. The flaw, tracked as CVE-2026-34197, was patched in March 2026 — but remained undetected in production environments for over

Payouts King Ransomware Abuses QEMU VMs to Evade Endpoint Security — What Practitioners Need to Know

Payouts King ransomware operators are abusing QEMU virtual machines as a covert staging environment on compromised Windows hosts — effectively using the emulator to run a hidden Linux attack platform that sits beneath endpoint security tools. Security researchers at Sophos documented the technique in two active campaigns this week, and the

The Quiet Revolution — What Security-Focused LLMs Actually Change for Practitioners

There is a quiet revolution happening in security operations, and most practitioners have not yet decided how to feel about it. AI language models — particularly those explicitly designed for security reasoning, threat analysis, and defensive operations — are entering the workflows of the people who keep systems running and breaches contained.