Ransomware Group Uses Virtual Machines to Operate Invisibly Inside Enterprise Networks

Situation

A ransomware group called Payouts King — assessed by Zscaler ThreatLabz as tied to former BlackBasta affiliates — has deployed a materially new technique for defeating endpoint detection: installing the legitimate QEMU hypervisor on a compromised Windows machine and running a fully functional Linux virtual machine inside it. The attacker’s tools run entirely within this hidden VM, where Windows endpoint security agents have no visibility. Credential theft, lateral movement, and data exfiltration all occur in a blind spot that the host’s endpoint protection cannot inspect.

Sophos documented the campaign (tracked as STAC4713, attributed to the GOLD ENCOUNTER group) beginning in November 2025. BleepingComputer published the detailed technical breakdown on 17 April 2026, making this a live, active threat.

Business Impact

Payouts King’s technique creates a direct gap between an organisation’s endpoint security investment and its actual detection capability. An organisation may have best-of-breed EDR deployed on every Windows host and still be unable to detect the attacker’s credential theft or data exfiltration if that activity occurs within a QEMU VM on the same machine.

The attack sequence after initial access is:

1. QEMU VM deployed silently with a disguised scheduled task
2. Active Directory credentials extracted (NTDS.dit copy via VSS and SMB)
3. Domain-wide credential access achieved through offline hash cracking
4. Sensitive data exfiltrated via Rclone inside the VM to cloud storage
5. Ransomware deployed to Windows hosts and ESXi hypervisors

This is a double-extortion operation: data is stolen before encryption, giving the group leverage to publish stolen data publicly if the ransom is not paid, independently of whether the encryption is remediated from backups.

Immediate Actions Required

1. Patch initial access vectors: SonicWall VPN appliances and SolarWinds Web Help Desk (CVE-2025-26399) are confirmed entry points. Confirm both are on current firmware and patch levels.
2. Alert on QEMU in non-standard paths: Create detection rules for qemu-system-x86_64.exe or qemu-img.exe executing from user-writable directories (AppData, Temp, ProgramData). QEMU is a legitimate tool — flag unexpected execution locations, not the binary itself.
3. Alert on a scheduled task named TPMProfiler: This is the specific task name used in known Payouts King deployments. Its presence is a high-confidence indicator.
4. Monitor for shadow copy creation outside backup windows: vssuirun.exe activity not initiated by approved backup software warrants immediate investigation — this is the credential theft precursor.
5. Add network-layer detection: Look for SSH outbound connections (TCP 22) from processes that are not expected SSH clients, and for unusual cloud storage upload traffic (Rclone targets AWS S3, Azure Blob, Google Cloud Storage, and similar).
6. Assess ESXi exposure: Payouts King deploys ESXi-specific encryptors. ESXi management interfaces should not be reachable from standard enterprise segments; confirm firewall segmentation is in place.

For Board or Executive Briefing

A criminal group with connections to the BlackBasta ransomware operation has developed a technique that defeats a significant portion of our endpoint security investment by running their attack tools inside a hidden virtual machine that security software cannot inspect. We are putting in place detection controls that look for the specific indicators this technique leaves behind — scheduled task creation, virtual machine installation, and network traffic patterns. The attack chain, if not caught early, leads to both full data theft and encryption of servers. Our focus is on detecting the precursor activities before the ransomware deploys.