Ethical Hacking News
The Payouts King ransomware has been identified as utilizing QEMU (Quick Emulator) virtual machines as a reverse SSH backdoor to execute malicious payloads on compromised systems. This tactic allows attackers to bypass endpoint security, making it challenging for security solutions to scan inside the virtual machines. Learn more about this emerging threat and how organizations can protect themselves from similar attacks.
The Payouts King ransomware uses QEMU (Quick Emulator) virtual machines as a reverse SSH backdoor to execute malicious payloads on compromised systems. QEMU enables attackers to create hidden virtual machines within the guest operating system, making it challenging for security solutions to scan inside these VMs. The Payouts King ransomware has been linked to the GOLD ENCOUNTER threat group, which targets hypervisors and encryptors for VMware and ESXi environments. Threat actors use QEMU-powered VMs to execute payloads, store malicious files, and create covert remote access tunnels over SSH. The attackers created a scheduled task named 'TPMProfiler' to launch a hidden QEMU VM as SYSTEM, allowing them to establish a reverse SSH tunnel. The ransomware uses AES-256 (CTR) with RSA-4096 encryption and features intermittent encryption for larger files. Organizations should look for unauthorized QEMU installations, suspicious scheduled tasks running with SYSTEM privileges, unusual SSH port forwarding, and outbound SSH tunnels on non-standard ports.
The threat landscape has evolved significantly over the years, with new and innovative tactics being employed by attackers to bypass endpoint security. The latest addition to this evolving arsenal is the Payouts King ransomware, which has been identified as utilizing QEMU (Quick Emulator) virtual machines as a reverse SSH backdoor to execute malicious payloads on compromised systems.
QEMU, an open-source CPU emulator and system virtualization tool, allows users to run operating systems on a host computer as virtual machines. This feature enables attackers to create hidden virtual machines within the guest operating system, making it challenging for security solutions to scan inside these VMs. As a result, threat actors can use QEMU-powered VMs to execute payloads, store malicious files, and create covert remote access tunnels over SSH.
The Payouts King ransomware has been linked to the GOLD ENCOUNTER threat group, which is known to target hypervisors and encryptors for VMware and ESXi environments. According to researchers at Sophos, the threat actors behind this campaign are associated with the GOLD ENCOUNTER threat group and have used QEMU-powered VMs as part of their arsenal.
In a recent incident tracked by Sophos as STAC4713, the attackers created a scheduled task named 'TPMProfiler' to launch a hidden QEMU VM as SYSTEM. The malicious actor then set up port forwarding to provide covert access to the infected host via a reverse SSH tunnel. The QEMU-powered VM runs Alpine Linux version 3.22.0 that includes attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone.
The attackers initially gained access to the compromised system through exposed SonicWall VPNs or exploited vulnerabilities in SolarWinds Web Help Desk and CitrixBleed 2, respectively. Once inside, they used VSS (vssuirun.exe) to create a shadow copy and then copied NTDS.dit, SAM, and SYSTEM hives to temp directories.
In an attack observed by Sophos in February, the GOLD ENCOUNTER threat actors posed as IT staff and tricked employees into downloading and installing QuickAssist. They leveraged Rclone to exfiltrate data from the infected system to a remote SFTP location.
The Payouts King ransomware's encryption scheme utilizes AES-256 (CTR) with RSA-4096, featuring intermittent encryption for larger files. The strain employs heavy obfuscation and anti-analysis mechanisms, establishing persistence via scheduled tasks and terminating security tools using low-level system calls.
In contrast, the second campaign tracked by Sophos as STAC3725 has been active since February and exploits the CitrixBleed 2 vulnerability to gain initial access to target environments. After compromising NetScaler devices, the attackers deployed a ZIP archive containing a malicious executable that installed a service named 'AppMgmt,' created a new local admin user (CtxAppVCOMService), and installed a ScreenConnect client for persistence.
The attackers then connected to a remote relay server and established a session with system privileges. They dropped and extracted a QEMU package that ran a hidden Alpine Linux VM using a custom.qcow2 disk image. Instead of utilizing a pre-built toolkit, the attackers manually installed and compiled their tools, including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit, inside the VM.
This campaign has been observed to include credential harvesting, Kerberos username enumeration, Active Directory reconnaissance, and staging data for exfiltration via FTP servers. Sophos recommends that organizations look for unauthorized QEMU installations, suspicious scheduled tasks running with SYSTEM privileges, unusual SSH port forwarding, and outbound SSH tunnels on non-standard ports.
The emergence of the Payouts King ransomware highlights the importance of staying vigilant against emerging threats and maintaining robust endpoint security measures. As QEMU-powered virtual machines continue to be used by threat actors, it is crucial that organizations are aware of these tactics and implement appropriate countermeasures to prevent similar attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Payouts-King-Ransomware-A-QEMU-Powered-Threat-Vector-ehn.shtml
https://www.bleepingcomputer.com/news/security/payouts-king-ransomware-uses-qemu-vms-to-bypass-endpoint-security/
https://trustedsec.com/blog/hiding-in-the-shadows-covert-tunnels-via-qemu-virtualization
https://undercodenews.com/payouts-king-ransomware-abuses-qemu-virtualization-to-deploy-hidden-linux-backdoors-and-evade-security-detection/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://breach-hq.com/threat-actors
Published: Fri Apr 17 14:51:23 2026 by llama3.2 3B Q4_K_M
