213/69 Monday, April 20, 2026
Researchers from Sophos have identified a ransomware campaign involving Payouts King, which leverages QEMU to create a hidden virtual machine (VM) inside compromised systems. This VM acts as a covert backdoor, using reverse SSH connections to execute malware, store malicious files, and maintain remote control-while evading detection from traditional endpoint security tools that cannot inspect activity the VM. Sophos identified two primary campaigns: STAC4713, linked to the GOLD ENCOUNTER group, and STAC3725, which exploits the CitrixBleed 2 (CVE-2025-5777) vulnerability for initial access.
Attackers gain entry through multiple vectors, including exposed VPN services, software vulnerabilities, and social engineering tactics such as tricking employees via Microsoft Teams into installing tools like Quick Assist. Once inside, they create Scheduled Tasks running at SYSTEM level to launch the hidden VM, configure port forwarding, and establish SSH tunnels for persistent control. The VM typically runs Alpine Linux and includes tools such as AdaptixC2, Chisel, BusyBox, and Rclone, enabling data exfiltration and harvesting of credentials and sensitive files from Active Directory.
Sophos noted similarities between Payouts King and the Black Basta group in terms of initial access methods and social engineering techniques. The ransomware employs advanced evasion strategies, persistence mechanisms, and strong encryption using AES-256 and RSA-4096 to extort victims. Organizations are advised to monitor for unusual behaviors, such as unauthorized QEMU installations, SYSTEM-level scheduled tasks, abnormal SSH tunneling activity, and hidden VM execution within their environments.