Several recent incidents of ransomware activity attributed to the Payouts King operation have highlighted a systematic shift toward virtualization-assisted intrusions, with attackers embedding QEMU as an execution layer within compromised systems.
QEMU instances can be configured as reverse SSH backdoors, enabling operators to create concealed virtual machines, which operate independently of a host system, effectively running malicious payloads and maintaining persistence outside the visibility of conventional endpoint security measures.
In the course of the investigation, it has been revealed that at least two parallel campaigns have been identified, one directly connected with Payouts King and the other as a result of the exploitation of CitrixBleed 2 flaw. Both of the campaigns are leveraging the power of virtualization, not only for the purpose of evasion, but also for the purpose of staging post-exploitation campaigns.
As part of their intrusion into these isolated environments, attackers use tools such as Rclone, Chisel, and BusyBox to obtain credential information, investigate Active Directory, enumerate Kerberos, and stage data via temporary FTP servers.
In addition to this evolution, a broader operational trend is being observed in which ransomware actors, including suspected initial access brokers, are moving from traditional encrypt-and-extort models to layered intrusion strategies that emphasize stealth, extended access, and pre-encryption intelligence gathering, which reduces detection windows and challenges reliance on only file-based security indicators.
In essence, QEMU is an open-source emulator and virtualizing framework that enables the running of full operating systems as virtual machines on a host, a capability that is increasingly being exploited by cyber criminals for malicious purposes.
Due to the fact that host-based security controls do not provide visibility into processes executed within these isolated environments, attackers can leverage QEMU instances in order to deploy payloads, store tooling, and set up covert remote access channels using SSH without causing any disruption.
Due to the fact that host-based security controls do not provide visibility into processes executed within these isolated environments, attackers can leverage QEMU instances in order to deploy payloads, store tooling, and set up covert remote access channels using SSH without causing any disruption.
There is precedent for using this technique, as it has been used in previous operations linked to the 3AM ransomware group, the LoudMiner campaign, and the CRON#TRAP activity cluster.
The analysis conducted by Sophos in recent months provides an in-depth understanding of its operationalization across two distinct intrusion sets, including the Payouts King ransomware. This was observed since November 2025 and has been attributed to the Payouts King ransomware operation.
The analysis conducted by Sophos in recent months provides an in-depth understanding of its operationalization across two distinct intrusion sets, including the Payouts King ransomware. This was observed since November 2025 and has been attributed to the Payouts King ransomware operation.
It overlaps with activity associated with GOLD ENCOUNTER, which is known to target hypervisors and deploy encryptors within VMware and ESXi environments.
Attackers create a scheduled task called TPMProfiler in this campaign that initiates a hidden QEMU virtual machine with SYSTEM privileges by using virtual disk images disguised as benign databases and DLLs as virtual disk images.
Attackers create a scheduled task called TPMProfiler in this campaign that initiates a hidden QEMU virtual machine with SYSTEM privileges by using virtual disk images disguised as benign databases and DLLs as virtual disk images.
Through carefully configured port forwarding, the adversary maintains isolation within the virtual layer while enabling reverse SSH access into the compromised host.
Alpine Linux 3.22.0 is typically deployed in this environment, preloaded with offensive tools such as AdaptixC2, Chisel, BusyBox, and Rclone that facilitate communication, reconnaissance, and data movement between the various components of the system.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Alpine Linux 3.22.0 is typically deployed in this environment, preloaded with offensive tools such as AdaptixC2, Chisel, BusyBox, and Rclone that facilitate communication, reconnaissance, and data movement between the various components of the system.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: