The Phantom Hypervisor: How Payouts King Uses QEMU to Hide Ransomware Inside Virtual Machines

Ransomware syndicates are increasingly adopting the clandestine practice of concealing their malicious artifacts not merely adjacent to the operating system, but directly within its architectural framework. The operators of Payouts King have inaugurated the use of QEMU as a surreptitious access conduit and a staging platform for launching virtual machines upon compromised hardware. This methodology proves exceptionally vexing for host-based security solutions; while Antivirus, EDR, and other telemetry tools meticulously monitor the primary system, they remain oblivious to the machinations occurring within a guest virtual environment.

In legitimate contexts, QEMU is utilized for processor emulation and systemic virtualization, allowing diverse operating systems to run as virtual machines on a single physical host. For adversaries, this paradigm offers a multifaceted advantage: the virtual machine serves as a secure repository for malware, a staging area for additional payloads, a deployment hub for reconnaissance utilities, and a foundation for establishing obfuscated SSH tunnels for remote access. Consequently, QEMU has surfaced with alarming frequency in campaigns attributed to the 3AM ransomware collective, the LoudMiner cryptojacking operation, and the CRON#TRAP phishing initiative.

Researchers at Sophos have meticulously deconstructed two such campaigns, wherein QEMU functioned as a cornerstone for network persistence and credential harvesting. The first operation, designated STAC4713 and emerging in November 2025, is linked to the Payouts King ransomware. The second, STAC3725, surfaced in February 2026, leveraging the CitrixBleed 2 vulnerability (CVE-2025-5777) within NetScaler ADC and Gateway appliances for initial ingress.

In the case of STAC4713, investigators correlate the operators with the GOLD ENCOUNTER threat actor, an entity notorious for targeting hypervisors and deploying ransomware within VMware and ESXi environments. According to Sophos, the adversaries instantiate a scheduled task titled TPMProfiler to launch a concealed QEMU virtual machine with SYSTEM privileges. To evade scrutiny, virtual disks are disguised as innocuous database files or DLL libraries. Port forwarding is subsequently configured to facilitate discreet access to the infected host via a reverse SSH tunnel.

The virtual environment operates on Alpine Linux 3.22.0, pre-configured with a suite of utilities essential for lateral movement. This arsenal includes AdaptixC2, Chisel, BusyBox, and Rclone, enabling the maintenance of command-and-control channels, connection proxying, and the exfiltration of sensitive telemetry.

The initial access vectors for STAC4713 evolved over time. Early iterations targeted internet-facing SonicWall VPN devices, while more recent incursions exploited CVE-2025-26399 in the SolarWinds Web Help Desk. Following the breach, operators pivoted to harvesting sensitive data from the Windows infrastructure. By utilizing the Volume Shadow Copy Service via vssuirun.exe, they created shadow copies to extract the NTDS.dit file and the SAM and SYSTEM registry hives through SMB, thereby facilitating offline credential extraction and Active Directory structural analysis.

In more recent incidents attributed to GOLD ENCOUNTER, novel entry methods have surfaced. February saw the exploitation of external Cisco SSL VPNs, while March signaled a shift toward social engineering. Disguised as Microsoft Teams technical support, attackers persuaded employees to install Quick Assist. Once executed, they utilized a legitimate binary, ADNotificationManager.exe, to sideload a Havoc C2 payload masquerading as vcruntime140_1.dll, ultimately exfiltrating data via Rclone to a remote SFTP server.

Complementary findings from Zscaler suggest that Payouts King may be comprised of former members of the BlackBasta syndicate, citing similarities in initial access tactics—specifically spam bombing, Teams-based phishing, and the subversion of Quick Assist. Technically, the family is aggressively constructed, featuring heavy obfuscation, anti-analysis triggers, and the disabling of security software via low-level system calls.

The encryption logic of Payouts King is a sophisticated hybrid, utilizing AES-256 in CTR mode for data encryption and RSA-4096 to secure the keys. For larger files, it employs intermittent encryption, targeting specific fragments to maximize speed without compromising the destructive impact. Ransom notes direct victims to dark web leak sites, where the threat of public data disclosure serves as a potent lever for extortion.

Conversely, the STAC3725 campaign adopts a distinct architecture. Following the exploitation of CitrixBleed 2, adversaries deploy a ZIP archive containing a malicious executable that establishes the AppMgmt service and creates a local administrator account titled CtxAppVCOMService. Persistence is secured via a ScreenConnect client, which establishes a session with systemic privileges. Through this conduit, the QEMU package is deployed to launch an Alpine Linux VM via a custom.qcow2 disk image. Notably, in this campaign, the operators manually assembled and compiled their toolkit—including Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit—directly within the guest system.

This concealed virtual machine functions not merely as a sanctuary from host security controls, but as a fully realized internal workstation. From this vantage point, the adversary can methodically probe for Active Directory vulnerabilities, harvest Kerberos tickets, and prepare for comprehensive data exfiltration.

Sophos advises organizations to remain vigilant for multiple indicators of compromise, including unauthorized QEMU installations, anomalous scheduled tasks running as SYSTEM, and atypical SSH port forwarding. The narrative of Payouts King underscores a broader paradigm shift: the virtual machine within a compromised host has become an indispensable redoubt, allowing attackers to operate, evade, and encrypt almost entirely beneath the radar of conventional defense systems.