The Payouts King ransomware group (linked to former BlackBasta affiliates) is deploying QEMU virtual machines running Alpine Linux on compromised hosts to evade endpoint security. Sophos documented two campaigns: STAC4713, which uses hidden QEMU VMs with tools like AdaptixC2, Chisel, and Rclone to establish reverse SSH tunnels and exfiltrate data, gaining initial access via exposed SonicWall VPNs and Microsoft Teams social engineering; and STAC3725, which exploits the CitrixBleed 2 vulnerability (CVE-2025-5777) to deploy QEMU VMs with manually compiled offensive tools including Impacket, BloodHound, and Metasploit. The ransomware uses AES-256 with RSA-4096 encryption and employs heavy obfuscation and anti-analysis techniques. Defenders are advised to monitor for unauthorized QEMU installations, suspicious scheduled tasks running as SYSTEM, and unusual SSH tunneling activity.
Sort: