Payouts King ransomware operators are abusing the QEMU emulator to run hidden Alpine Linux virtual machines on compromised hosts, using port forwarding and reverse SSH tunnels to execute payloads, harvest credentials, and bypass endpoint security. Sophos and Zscaler link these campaigns to GOLD ENCOUNTER and likely former BlackBasta affiliates, with initial access achieved via exposed VPNs, CitrixBleed 2 exploitation, Microsoft Teams phishing, and QuickAssist abuse. #PayoutsKing #QEMU
Keypoints
- Payouts King runs hidden QEMU VMs (Alpine Linux 3.22) to evade host-based security and execute malicious tools.
- Attackers use QEMU port forwarding to create reverse SSH tunnels for covert remote access and data exfiltration.
- Initial access vectors include exposed SonicWall/Cisco VPNs, CitrixBleed 2 exploitation, Microsoft Teams phishing, and QuickAssist abuse.
- Threat actors harvest credentials, perform Active Directory reconnaissance, and exfiltrate data using Rclone, FTP, and SFTP.
- Sophos advises monitoring for unauthorized QEMU installs, SYSTEM scheduled tasks, unusual SSH port forwarding, and nonstandard outbound SSH tunnels.