A ransomware campaign linked to the Payouts King group is leveraging the QEMU emulator as a backdoor, allowing attackers to deploy hidden virtual machines (VMs) on compromised systems and bypass traditional endpoint security tools.
QEMU allows attackers to run separate operating systems within a host machine and hide malicious payloads, as well as perform other actions like maintain persistence, and establish covert remote access via reverse SSH tunnels. This is possible because most security solutions are not able to analyze activity inside the virtual environments.
Sophos researchers have observed two related campaigns, one of which, tracked as STAC4713, is directly linked to Payouts King. Another campaign, tracked ad STAC3725, was first spotted in February 2026 and exploited the CitrixBleed 2 vulnerability (CVE-2025-5777) in NetScaler systems.
In the STAC4713 campaign, attackers create a scheduled task named “TPMProfiler” to launch a concealed QEMU virtual machine with SYSTEM-level privileges. Attackers disguise virtual disk files as benign database or DLL files and configure port forwarding to maintain remote access through encrypted SSH tunnels.
Thereat actors then deploy a lightweight Alpine Linux environment (version 3.22.0) preloaded with tools such as AdaptixC2, Chisel, BusyBox, and Rclone, enabling command-and-control communication, tunneling, and data exfiltration.
Previous attacks, Sophos said, exploited exposed SonicWall VPNs and a SolarWinds Web Help Desk vulnerability (CVE-2025-26399). More recent incidents show a shift toward social engineering and alternative entry points, including compromised Cisco SSL VPNs and phishing campaigns conducted via Microsoft Teams, where attackers impersonate IT staff and trick users into installing remote access tools like Quick Assist.
Post-compromise activity includes credential harvesting and data theft. Attackers create shadow copies using Windows Volume Shadow Copy Service and extract sensitive files such as NTDS.dit, SAM, and SYSTEM registry hives via SMB.
Researchers attribute the campaign to a group known as GOLD ENCOUNTER, which has a history of targeting virtualized environments like VMware and ESXi. Additional analysis suggests possible ties between Payouts King and former BlackBasta affiliates, based on shared tactics such as spam bombing, Teams-based phishing, and abuse of remote support tools.