Full Report
The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security. [...]
Analysis Summary
# Tool/Technique: virtualization-based evasion via QEMU
## Overview
Threat actors, specifically those associated with the **Payouts King** ransomware and the **GOLD ENCOUNTER** group, are leveraging the legitimate open-source **QEMU emulator** to run hidden virtual machines (VMs) on compromised hosts. This technique allows attackers to bypass endpoint security solutions (EDR/AV) because the security software running on the host cannot inspect the contents or execution flow within the guest VM. The VM serves as a persistent, hidden environment for attacker tools and as a reverse SSH tunnel for covert remote access.
## Technical Details
- **Type:** Technique / Virtualization Abuse
- **Platform:** Windows (Host), Alpine Linux (Guest VM)
- **Capabilities:** Virtualization evasion, reverse SSH tunneling, port forwarding, credential harvesting.
- **First Seen:** November 2025 (STAC4713 campaign)
## MITRE ATT&CK Mapping
- **[TA0005 - Defense Evasion]**
- [T1564.006 - Hide Artifacts: System Virtualization]
- [T1027 - Obfuscated Files or Information]
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- [T1543.003 - Create or Modify System Process: Windows Service]
- **[TA0011 - Command and Control]**
- [T1572 - Protocol Tunneling]
- [T1021.004 - Remote Services: SSH]
- **[TA0006 - Credential Access]**
- [T1003.002 - OS Credential Dumping: Security Account Manager]
- [T1003.003 - OS Credential Dumping: NTDS]
## Functionality
### Core Capabilities
- **Guest VM Execution:** Launches a lightweight Alpine Linux VM using QEMU commands.
- **Reverse SSH Tunneling:** Establishes a covert communication channel from the VM back to the attacker’s infrastructure, bypassing firewall restrictions on inbound traffic.
- **Hidden Virtual Disks:** Uses virtual disk files (e.g., `.qcow2`) often disguised with misleading extensions like `.db` or `.dll` to store malicious toolsets.
### Advanced Features
- **Security Software Termination:** The Payouts King ransomware family utilizes low-level system calls to terminate security processes.
- **Intermittent Encryption:** Uses AES-256 (CTR) and RSA-4096 to encrypt only parts of large files, increasing encryption speed and minimizing file I/O noise.
- **Living-off-the-Land (LotL):** Abuse of legitimate tools like `vssuirun.exe`, `QuickAssist`, and `SMB` to exfiltrate sensitive files such as the NTDS.dit database.
## Indicators of Compromise
- **File Names:**
- `TPMProfiler` (Scheduled Task)
- `AppMgmt` (Windows Service)
- `CtxAppVCOMService` (Username)
- `custom.qcow2` (VM Disk image)
- `vcruntime140_1.dll` (Sideloaded Havoc payload)
- **Process Behaviors:**
- `qemu-system-x86_64.exe` running with `SYSTEM` privileges.
- Unusual `vssuirun.exe` activity followed by access to sensitive system hives.
- **Network Indicators:**
- Outbound SSH traffic on non-standard ports.
- Connections to remote relay servers via ScreenConnect.
- Data exfiltration to remote SFTP/FTP locations via Rclone.
## Associated Threat Actors
- **GOLD ENCOUNTER** (Likely former BlackBasta affiliates)
- **STAC4713** (Sophos tracking ID)
- **STAC3725** (Sophos tracking ID)
## Detection Methods
- **Behavioral Detection:**
- Monitor for the execution of QEMU binaries on workstations or servers where virtualization is not a business requirement.
- Alert on scheduled tasks created with names mimicking system utilities (e.g., `TPMProfiler`) that execute with `SYSTEM` rights.
- Monitor for unexpected use of `vssuirun.exe` to create shadow copies.
- **Network Monitoring:**
- Inspect outbound traffic for SSH handshakes to unknown or suspicious external IP addresses.
- **Process Sideloading:**
- Monitor `ADNotificationManager.exe` for the loading of unexpected DLLs like `vcruntime140_1.dll`.
## Mitigation Strategies
- **Prevention:**
- Patch critical vulnerabilities: CitrixBleed 2 (CVE-2025-5777) and SolarWinds Web Help Desk (CVE-2025-26399).
- Implement application whitelisting to prevent unauthorized binaries like QEMU from executing.
- **Hardening:**
- Restrict the use of administrative tools like QuickAssist and ScreenConnect.
- Disable or monitor VSS (Volume Shadow Copy Service) usage on non-backup servers.
- Block outbound SSH (Port 22) and other tunneling protocols for regular users.
## Related Tools/Techniques
- **3AM Ransomware:** Previously observed using QEMU for similar purposes.
- **Chisel & AdaptixC2:** Post-exploitation tools often found within the hidden VMs.
- **Rclone:** Used for data exfiltration.
- **Havoc C2:** Command and control framework used via DLL sideloading.