{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/payouts-king/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["GOLD ENCOUNTER"],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-26399"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["payouts-king","ransomware","qemu","vm","defense-evasion"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe Payouts King ransomware, associated with the GOLD ENCOUNTER threat group, is utilizing QEMU, an open-source CPU emulator, to run hidden Alpine Linux virtual machines (VMs) on compromised Windows systems, effectively bypassing endpoint security solutions. This technique allows attackers to execute malicious payloads, store sensitive data, and create covert remote access tunnels over SSH without being detected by host-based security tools. Observed since November 2025 (tracked as STAC4713), this campaign initially exploited exposed SonicWall VPNs and the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). More recent attacks have leveraged exposed Cisco SSL VPNs and Microsoft Teams phishing campaigns to deliver payloads. The attackers are likely tied to former BlackBasta affiliates based on similar initial access methods. This tactic enables persistence, elevated privileges, and data exfiltration while evading detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attackers gain initial access through exposed SonicWall VPNs, Cisco SSL VPNs, or by exploiting the SolarWinds Web Help Desk vulnerability (CVE-2025-26399). Alternatively, they use Microsoft Teams phishing, tricking employees into downloading and executing malicious files via QuickAssist.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery:\u003c/strong\u003e In some instances, a legitimate ADNotificationManager.exe binary is used to sideload a Havoc C2 payload (vcruntime140_1.dll).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQEMU Deployment:\u003c/strong\u003e A scheduled task named ‘TPMProfiler’ is created to launch a hidden QEMU VM as SYSTEM, utilizing virtual disk files disguised as databases and DLL files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVM Configuration:\u003c/strong\u003e The QEMU VM runs Alpine Linux (version 3.22.0), containing attacker tools such as AdaptixC2, Chisel, BusyBox, and Rclone.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReverse SSH Tunnel:\u003c/strong\u003e Port forwarding is set up to establish a reverse SSH tunnel, providing covert access to the infected host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Attackers use VSS (vssuirun.exe) to create a shadow copy, then use the print command over SMB to copy NTDS.dit, SAM, and SYSTEM hives to temp directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e Rclone is leveraged to exfiltrate data to a remote SFTP location or other exfiltration methods, such as FTP, are used.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEncryption and Extortion:\u003c/strong\u003e The Payouts King ransomware encrypts systems using AES-256 (CTR) with RSA-4096 with intermittent encryption for larger files. Ransom notes are dropped, directing victims to leak sites on the dark web.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Payouts King ransomware attacks can result in significant data loss, system downtime, and financial repercussions for victim organizations. The use of QEMU VMs provides an additional layer of stealth, making detection and remediation more challenging. Targeted sectors are not specified in this report, but the use of exposed VPNs and phishing suggests a broad targeting scope. The ransom demands and potential data leaks on the dark web further compound the damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unauthorized QEMU installations and suspicious scheduled tasks running with SYSTEM privileges, as these are key indicators of compromise (see Overview).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual SSH port forwarding and outbound SSH tunnels on non-standard ports, which could indicate a reverse SSH tunnel (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ADNotificationManager Sideloading Havoc C2\u0026rdquo; to identify instances where ADNotificationManager.exe is used to sideload the Havoc C2 payload (vcruntime140_1.dll) (see Rules).\u003c/li\u003e\n\u003cli\u003eReview and patch CVE-2025-26399 in SolarWinds Web Help Desk and apply necessary security measures for exposed SonicWall and Cisco SSL VPNs to prevent initial access (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eMonitor for processes creating shadow copies (vssuirun.exe) followed by unusual file access patterns (NTDS.dit, SAM, SYSTEM hives) via SMB, indicative of credential theft (see Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-payouts-king-qemu/","summary":"The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.","title":"Payouts King Ransomware Abusing QEMU VMs for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2026-04-payouts-king-qemu/"}],"language":"en","title":"CraftedSignal Threat Feed — Payouts-King","version":"https://jsonfeed.org/version/1.1"}