GoKawiilThe Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security.
QEMU is an open-source CPU emulator and system virtualization tool that allows users to run operating systems on a host computer as virtual machines (VMs).
Since security solutions on the host cannot scan inside the VMs, attackers can use them to execute payloads, store malicious files, and create covert remote access tunnels over SSH.
For these reasons, QEMU has been abused in past operations from multiple threat actors, including the 3AM ransomware group, LoudMiner cryptomining, and ‘CRON#TRAP’ phishing.
Researchers at cybersecurity company Sophos documented two campaigns where attackers deployed QEMU as part of their arsenal and to collect domain credentials.
One campaign that Sophos tracks as STAC4713 was first observed in November 2025 and has been linked to the Payouts King ransomware operation.
The other, tracked as STAC3725, has been spotted in February this year and exploits the CitrixBleed 2 (CVE‑2025‑5777) vulnerability in NetScaler ADC and Gateway instances.
Running Alpine Linux VMs
Researchers note that the threat actors behind the STAC4713 campaign are associated with the GOLD ENCOUNTER threat group, which is known to target hypervisors and encryptors for VMware and ESXi environments.
According to Sophos, the malicious actor creates a scheduled task named ‘TPMProfiler’ to launch a hidden QEMU VM as SYSTEM.
... continue reading