Payouts King uses QEMU VM backdoor

A virtual machine is a computer inside a computer, and Payouts King is using one to hide its foothold after breaking into corporate networks. (bleepingcomputer.com) Researchers at Sophos said on April 16 that attackers linked to the Payouts King operation launched hidden QEMU virtual machines as SYSTEM through a scheduled task named “TPMProfiler.” The campaign Sophos tracks as STAC4713 was first seen in November 2025. (sophos.com) QEMU is open-source software for running virtual machines, and security tools on the host often cannot see inside the guest system. Sophos said the attackers used that blind spot to run Alpine Linux 3.22.0 with tools including AdaptixC2, Chisel, BusyBox and Rclone. (sophos.com) The hidden machine also set up a reverse Secure Shell tunnel, which works like an outbound connection that gives the attacker a path back in. BleepingComputer reported the group disguised its virtual disks as database and dynamic-link library files to make the setup look ordinary on disk. (bleepingcomputer.com) Sophos said the same campaign stole domain credentials after access was established, including copies of NTDS.dit, SAM and SYSTEM hives from Windows systems. In separate intrusions, the attackers got in through exposed SonicWall and Cisco Secure Sockets Layer virtual private network appliances, and through Microsoft Teams social-engineering that pushed workers to install Quick Assist. (sophos.com) Zscaler said on April 16 that Payouts King emerged in April 2025 and has been tied with high confidence to attacks using spam bombing, Teams contact and Quick Assist abuse. The company described the group as focused on stealing large amounts of data and encrypting files selectively rather than locking every system it reaches. (zscaler.com) That tradecraft overlaps with the playbook long associated with Black Basta. Zscaler said former Black Basta affiliates are behind some Payouts King activity, while Sophos separately attributed Payouts King and its extortion operation to a cluster it calls GOLD ENCOUNTER. (zscaler.com) (sophos.com) Black Basta itself fractured after internal chat logs leaked in February 2025. ReliaQuest said the group collapsed after the leak and its data-leak site disappeared by the end of that month, while The Record reported the dump contained just under 200,000 Russian-language messages from September 2023 to September 2024. (reliaquest.com) (therecord.media) ReliaQuest had already warned in April 2025 that Black Basta-linked operators were leaning on Microsoft Teams impersonation to pose as internal support staff. The new QEMU layer shows the same pressure on defenders: attackers are pairing familiar social engineering with a hidden environment that many endpoint tools do not inspect. (reliaquest.com)