HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Payouts King Ransomware Deploys QEMU Virtual Machines to Evade Endpoint Security

Payouts King ransomware is leveraging the open‑source QEMU emulator to spin up hidden Alpine Linux VMs on compromised hosts, enabling payload execution and data exfiltration while evading conventional endpoint detection. The technique exploits VPN exposures and CVEs in NetScaler and SolarWinds products, raising third‑party risk for organizations that rely on these services.

🛡️ LiveThreat™ Intelligence · 📅 April 18, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Payouts King Ransomware Deploys QEMU Virtual Machines to Evade Endpoint Security

What Happened – Researchers observed the Payouts King ransomware launching hidden QEMU virtual machines on compromised hosts. The VMs run as SYSTEM, host a reverse‑SSH tunnel, and allow the ransomware to execute payloads and exfiltrate data while evading traditional endpoint scanners.

Why It Matters for TPRM

  • The technique sidesteps endpoint detection, exposing any organization that relies on standard AV/EDR solutions.
  • Attackers leverage legitimate virtualization tools (QEMU) and common VPN exposures, widening the attack surface for third‑party vendors.
  • The approach demonstrates a supply‑chain style escalation that can affect multiple downstream customers.

Who Is Affected – Enterprises using on‑premise or cloud‑based VPNs (SonicWall, Cisco SSL), NetScaler ADC/Gateway, SolarWinds Web Help Desk, and any environment where QEMU or other open‑source emulators are installed. Primary impact spans Technology/SaaS, Financial Services, Healthcare, and Manufacturing sectors.

Recommended Actions

  • Verify that endpoint protection solutions can inspect inside nested virtual machines or employ hypervisor‑level monitoring.
  • Harden VPN gateways: enforce MFA, restrict IP ranges, and patch known CVEs (CVE‑2025‑5777, CVE‑2025‑26399).
  • Conduct an inventory of QEMU/virtualization tools on critical assets and apply application‑allow‑list policies.
  • Review third‑party risk contracts for clauses requiring vendors to disclose use of virtualization tools that could be abused.

Technical Notes

  • Attack vector: Abuse of QEMU emulator to spin up hidden Alpine Linux VMs, reverse‑SSH tunneling, scheduled task “TPMProfiler”.
  • Exploited CVEs: CitrixBleed 2 (CVE‑2025‑5777) in NetScaler ADC/Gateway; SolarWinds Web Help Desk (CVE‑2025‑26399).
  • Data collected: NTDS.dit, SAM, SYSTEM hives via VSS and SMB copy; credential harvesting from domain controllers.
  • Tools inside VM: AdaptixC2, Chisel, BusyBox, Rclone, Havoc C2 payload (vcruntime140_1.dll).

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/payouts-king-ransomware-uses-qemu-vms-to-bypass-endpoint-security/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →