The new face of the Payouts King Ransomware operates from a hidden VM with QEMU to evade detection

In recent months the operators behind the group attributed to the Ransomware known as Payouts King have increased the sophistication of their intrusions by using an unusual technique: installing a CPU emulator and running hidden virtual machines within the compromised system to evade traditional defenses. Instead of leaving your tools and tunnels in sight of host antivirus, they run a complete environment - a small Linux - inside QEMU and perform dirty work from there.

QEMU is an open source project designed to emulate CPU architectures and create virtual machines on a host team. Its legitimate use is huge in development and testing, but that same ability to encapsulate an operating system has been used by attackers to create echo cameras from which to operate without the host machine's security software inspecting the interior. Research Sophos documented campaigns in which QEMU acts as the SSH reverse back door: the VM starts connections to remote servers and establishes port reshipments that allow discreet access to the compromised environment.

The technical details collected by Sophos describe how attackers display a virtual disk image (usually a .qCow2 file) camouflaged as a database or library, and set up a scheduled task with SYSTEM privileges - with the name "TPMProfiler" - to boot the emulator in the background. These virtual machines include light distributions such as Alpine Linux and a collection of offensive tools: from tunnels and proxys like Chisel to exfiltration utilities such as Rclone and control and control frameworks. This makes the hidden VM the true operational surface of the attacker.

The campaigns analyzed are grouped into two tracks that Sophos calls STAC4713 and STAC3725. The first, linked to the Payouts King operation and initially observed in late 2025, shows a tendency to attack virtualized infrastructure and to abuse domain credentials to move laterally. The second, active since February, takes advantage of a vulnerability known in NetScaler (identified as CVE-2025-5777 and nicknamed "CitrixBleed 2") to compromise Citrix ADC and Gateway devices. To review the technical details of vulnerabilities, NVD notices provide public descriptors: CVE-2025-5777 and CVE-2025-26399.

The initial access vectors vary: from exposed VPN devices (SonicWall and Cisco SSL VPN were mentioned in research) to deception by Microsoft Teams that induce IT personnel to install legitimate manipulated utilities, such as QuickAssist. Once inside, the attackers have used "sideloading" techniques with legitimate binaries (e.g., ADNotificationManager.exe) to load Havoc C2-type malicious loads, and have used Shadow copies and SMB commands to collect Active Directory databases and local hives such as NTDS.dit and SAM.

Within the hidden VMs, the actors do not just use precompiled kits: in some incidents they compiled and deployed ad hoc tools - Impack, Kerbrute, BloodHound.py, Metasploit, among others - for the purpose of collecting credentials, listing Kerberos users, mapping relationships in Active Directory and preparing data dumping that is then uploaded to FTP or SFTP servers. By taking these actions from an emulated VM, they prevent most host DDR and antivirus from seeing the actions in real time.

The final part of the operation, in the case of Payouts King, fits what is expected of a modern extortion group: encryption of the files with a combination of robust algorithms (use of AES-256 in CTR mode has been reported along with RSA-4096, and methods to skip the complete encryption in very large files) and publication of notes that redirect victims to filtration portals on the deep web. Recent reports of the Zscaler They also point to similarities between Payouts King and affiliates of former Ransomware families such as BlackBasta, especially in the initial access phase and in avoidance techniques.

In view of this scenario, security teams have to adjust their detection signals: not only look for known malware, but also artifacts that indicate the presence of hypervisors or emulators installed in environments where they should not exist; review programmed tasks with high privileges such as possible VMs self-starters; monitor atypical patterns of outgoing SSH, port reshipments and connections that appear to come from "legitimate" processes that actually act as proxies. Sophos specifically recommends the search for unauthorized QEMU facilities and outgoing SSH connections by non-standard ports as commitment indicators.

The conclusion for organizations and managers is clear: the boundaries of detection have changed. Containment can no longer be based solely on scanning processes in the host, because attackers have begun to move operationality into invisible virtual machines. This requires a combination of vulnerability management (link door parking and exposed services), network controls that detect unusual tunnels and enhanced monitoring of privileged accounts and programmed tasks. For those who want to deepen technical findings, Sophos's research offers a detailed and reproducible analysis of how QEMU is used in these campaigns: read the Sophos report. For additional context on the threat and evolution of Payouts King, the analysis of Zscaler is complementary: read the Zscaler report. Finally, if your organization operates Citrix NetScaler or VPN services exposed, it is appropriate to prioritize the review of patches and configurations recommended by the public notices available in the NVD.

In a world where virtualization tools of legitimate use can become weapons, defense requires thinking as the attacker: assuming that there can be a second operating system running within the first and looking for signals outside the classic endpoint field. Only in this way will it be possible to detect and cut operations that try to hide behind the appearance of harmless processes and files.