A ransomware operation active since mid-2025 has developed a materially novel technique for defeating endpoint detection: running a fully functional Linux virtual machine inside the target’s Windows environment using the legitimate QEMU emulator, then conducting the entire post-compromise intrusion chain from within that VM. Security tools running on the Windows host cannot inspect inside the guest VM, leaving the attacker’s credential theft, lateral movement, and data exfiltration activity completely opaque to endpoint detection.
The group, tracked as Payouts King and attributed to former BlackBasta affiliates by Zscaler ThreatLabz, was first documented by Sophos under the campaign designator STAC4713 (attributed to the GOLD ENCOUNTER threat group) in November 2025. BleepingComputer published the detailed technical analysis on 17 April 2026.
The QEMU Evasion Technique
The core innovation is straightforward in concept but significant in impact. After gaining initial access, Payouts King installs QEMU — a legitimate, widely used open-source hardware emulator — on the compromised Windows host. A scheduled task named TPMProfiler is created to launch the QEMU VM with SYSTEM privileges, disguising the malicious activity among the host’s legitimate scheduled task inventory.
The virtual machine runs Alpine Linux 3.22.0 and is supplied with a pre-configured toolkit: AdaptixC2 (command-and-control framework), Chisel (TCP/UDP tunnelling), BusyBox (Unix utilities), and Rclone (cloud data exfiltration). Virtual disk images are disguised as database files or DLLs to avoid casual inspection. Port forwarding is configured to route traffic through the VM, and a reverse SSH tunnel established from inside the VM provides persistent covert remote access to the attacker — bypassing any network-layer inspection that expects outbound connections to originate from a Windows process.
The evasion value is direct: Windows endpoint detection agents — EDR, AV, and DLP — operate at the Windows kernel or userspace level and cannot examine the execution context inside an isolated guest VM. Attacker tooling runs in Alpine Linux with no Windows security agent present.
Initial Access and Credential Theft
Initial access in confirmed incidents used two vectors: exposed SonicWall VPN appliances and exploitation of CVE-2025-26399, a vulnerability in SolarWinds Web Help Desk. Both are opportunistic entry points that allow unauthenticated or low-privilege remote access to the target environment.
Once inside, post-compromise operations proceed entirely within the QEMU VM. The threat actor uses Windows Volume Shadow Copy Service (VSS via vssuirun.exe) to create a shadow copy of the system drive, then uses the print command over SMB to copy NTDS.dit, SAM, and the SYSTEM hive to temporary directories — the standard credential extraction chain for an Active Directory environment. With NTDS.dit and the SYSTEM hive in hand, offline password cracking yields all domain account hashes, providing unrestricted lateral movement capability.
Attack Goals: Data Theft Then Ransomware
Payouts King’s operational model prioritises data theft before encryption — consistent with the double-extortion model pioneered by BlackBasta and now standard across professional ransomware operations. Rclone inside the QEMU VM is used to exfiltrate collected data to attacker-controlled cloud storage before the encryption payload is deployed. The group targets VMware and ESXi hypervisors in addition to Windows endpoints, using ESXi-specific encryptors, which means virtualised server environments face separate encryption risk beyond the Windows desktop estate.
Detection Challenges and Guidance
The QEMU technique directly undermines endpoint-centric detection models. Effective countermeasures shift detection focus to behaviours that the evasion cannot hide:
- Scheduled task creation for QEMU or qemu-system-*: Audit scheduled tasks for unexpected entries, particularly those calling QEMU executables or referencing disk image file types (.qcow2, .img). The TPMProfiler task name should be treated as a high-confidence indicator of this specific campaign.
- QEMU binary execution from non-standard paths: QEMU is legitimate software, but its presence in user-writable directories (AppData, Temp, ProgramData subdirectories) is unusual. Flag qemu-system-x86_64.exe or similar binaries executing from unexpected locations.
- Outbound SSH from non-SSH-client processes: QEMU establishing outbound TCP 22 connections should alert in any environment where SSH outbound is not expected from hypervisor processes.
- Shadow copy creation without backup software context: vssuirun.exe activity outside of a known backup window is a high-confidence lateral movement/credential theft indicator.
- Unusual NTDS.dit or SAM file access via print command over SMB: This specific copy technique leaves SMB artefacts that should be detectable in SMB access logging.
- Patch SonicWall VPN and SolarWinds Web Help Desk: These are the confirmed initial access vectors. Ensure both are on current firmware/patch levels.
Broader Context
The QEMU VM technique is the latest evolution in a sustained trend of attackers using legitimate software as evasion primitives — preceding iterations used process injection, BYOVD kernel driver disabling, and LOLBin abuse. Each innovation exploits the structural assumption that endpoint security can observe all meaningful execution on a host. That assumption fails when an attacker runs a complete operating system inside a hypervisor on the same machine. Detection programmes that rely primarily on endpoint telemetry require network-level and infrastructure-level coverage to maintain visibility when host-based detection is defeated.
Share this article