Payouts King ransomware uses QEMU virtual machines to bypass endpoint security

The Payouts King ransomware operation is using the QEMU emulator to create hidden virtual machines on compromised systems, allowing attackers to Researchers at cybersecurity company Sophos have documented campaigns where threat actors deploy QEMU as a reverse SSH backdoor to run hidden virtual machines. Since security solutions on the host cannot scan inside virtual machines, attackers can use them to execute payloads, store malicious files, and create covert remote access tunnels. One campaign tracked as STAC4713 has been linked to the Payouts King ransomware operation and was first observed in November 2025. The threat actors create a scheduled task named 'TPMProfiler' to launch a hidden QEMU virtual machine with SYSTEM privileges. The VM runs Alpine Linux version 3.22.0 and includes attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone. Initial access was achieved via exposed SonicWall VPNs in earlier attacks, while more recent incidents have exploited the SolarWinds Web Help Desk vulnerability CVE-2025-26399. In some cases, the threat actors posed as IT staff and tricked employees over Microsoft Teams into downloading and installing QuickAssist. A separate campaign tracked as STAC3725 has been active since February and exploits the CitrixBleed 2 vulnerability in NetScaler ADC and Gateway instances. After compromising NetScaler devices, attackers deploy a malicious executable that installs a service, creates a new local admin user, and installs ScreenConnect for persistence before dropping and extracting a QEMU package. Sophos recommends organizations look for un