Payouts King Ransomware Uses QEMU Virtual Machines to Evade Security

Researchers at Sophos and Zscaler have documented two active threat campaigns using QEMU, an open-source machine emulator, to conceal malicious activity within hidden virtual machines (VMs) and bypass endpoint security controls. 

Because endpoint protection agents can't inspect activity occurring inside a VM, threat actors are increasingly exploiting this blind spot to execute payloads, harvest credentials, and maintain persistent access without leaving forensic evidence on the host system. The abuse of QEMU is not new. It has been observed since at least 2020, but Sophos analysts have noted a marked increase in its use since late 2025. Two distinct campaigns are now under investigation: STAC4713, linked to the Payouts King ransomware operation, and STAC3725, which exploits a critical Citrix vulnerability.

The first campaign, STAC4713, was identified in November 2025 and is attributed with high confidence to the GOLD ENCOUNTER threat group, which has a known focus on hypervisor environments and has developed encryptors targeting VMware and ESXi. 

To deploy QEMU, the attackers create a scheduled task named "TPMProfiler" that launches a hidden QEMU VM running Alpine Linux 3.22.0 under the SYSTEM account. The virtual disk image is disguised as a legitimate file previously appearing as vault.db and later as bisrv.dll  and establishes a reverse SSH tunnel to attacker-controlled infrastructure through custom port forwarding rules, creating a covert remote access channel that bypasses endpoint detection. The VM is pre-loaded with a toolkit that includes AdaptixC2, Chisel, BusyBox, and Rclone, and attackers have used it to dump Active Directory credentials by copying NTDS.dit and SAM hives via SMB. Initial access methods across intrusions have varied, including exploitation of exposed SonicWall VPNs without MFA, and most recently CVE-2025-26399 (SolarWinds Web Help Desk).

Beginning in February 2026, GOLD ENCOUNTER shifted tactics, moving away from QEMU and instead gaining access through an exposed Cisco SSL VPN and, in a March 2026 case, impersonating IT staff over Microsoft Teams to trick employees into installing QuickAssist. In both instances, the group used the legitimate ADNotificationManager.exe binary to sideload a Havoc C2 payload and leveraged Rclone to exfiltrate data to remote SFTP servers. Zscaler's analysis corroborates these findings, noting that Payouts King bears the hallmarks of former BlackBasta affiliates, sharing the same initial access tradecraft of spam bombing, Microsoft Teams phishing, and Quick Assist abuse.

The second campaign, STAC3725, has been active since February 2026 and centers on an entirely different initial access vector. The attackers exploit CVE-2025-5777 (CitrixBleed 2, NetScaler ADC and Gateway).

Following initial access, the attackers deploy a ZIP archive containing a malicious executable that installs a service named "AppMgmt," creates a rogue local administrator account, and installs a ScreenConnect client for persistence. The ScreenConnect client then extracts a QEMU package that boots a hidden Alpine Linux VM, inside which the attackers manually compile their full attack suite including Impacket, BloodHound, Metasploit, Kerbrute, and NetExec. Observed post-compromise activity includes Kerberos username enumeration, Active Directory reconnaissance, credential harvesting via WDigest registry manipulation, removal of Microsoft Defender exclusions using FTK Imager, and data staging for exfiltration via FTP.

Sophos recommends that organizations audit their environments for unauthorized QEMU installations, scheduled tasks running under SYSTEM privileges, unusual port forwarding rules targeting port 22, and virtual disk images with atypical file extensions such as .db, .dll, or .qcow2. Defenders should also monitor outbound SSH tunnels originating from non-standard ports and enforce MFA on all remote access solutions. Zscaler's broader recommendations emphasize a defense-in-depth approach that includes enhanced user training to counter social engineering, strict MFA enforcement, and proactive threat hunting.