CP
cyberpings

Payouts King Ransomware - Abuses QEMU for Hidden VMs

Payouts King ransomware is exploiting QEMU to create hidden virtual machines and backdoors. This evasion tactic poses a significant risk to organizations. Enhanced monitoring is essential to combat these threats.

Malware & RansomwareHIGHUpdated: Published:
Featured image for Payouts King Ransomware - Abuses QEMU for Hidden VMs

Original Reporting

SCSC Media

AI Summary

CyberPings AI·Reviewed by Rohit Rana

🎯Basically, a type of ransomware is using a tool to hide its activities on computers.

What Happened

The Payouts King ransomware operation has adopted a sophisticated method of using the QEMU emulator to create hidden virtual machines (VMs) and establish backdoors on compromised systems. This approach allows attackers to bypass traditional endpoint security measures, making their malicious activities harder to detect.

How It Works

In two identified campaigns, the ransomware leverages QEMU to run hidden VMs that operate undetected within the host environment. The first campaign, linked to the GOLD ENCOUNTER threat group, utilizes QEMU to run an Alpine Linux VM as SYSTEM. This VM is equipped with tools aimed at credential harvesting and data exfiltration.

The second campaign exploits the CitrixBleed 2 vulnerability to gain access to systems. After breaching security, attackers deploy a QEMU VM with manually installed tools for reconnaissance and data staging. This clever use of virtualization technology enables attackers to execute malicious payloads while concealing sensitive data.

Who's Being Targeted

Organizations with exposed vulnerabilities, such as SonicWall VPNs and SolarWinds Web Help Desk, are particularly at risk. The attackers are gaining initial access through these vulnerabilities, leading to the establishment of hidden VMs that can operate without detection.

Signs of Infection

🔴

Unusual SSH activity

🟡

Unauthorized QEMU instances

Unauthorized QEMU instances running on systems

🟠

Suspicious scheduled tasks

Suspicious scheduled tasks that do not align with normal operations

How to Protect Yourself

Organizations should implement robust monitoring systems to detect unauthorized QEMU instances and unusual activities. Here are some recommended actions:

Detection

  • 1.Regularly audit systems for hidden VMs.
  • 2.Monitor SSH access logs for any irregularities.

Conclusion

The Payouts King ransomware's innovative use of QEMU demonstrates a shift in tactics among cybercriminals, emphasizing the need for enhanced security measures. By understanding these methods, organizations can better prepare and defend against such sophisticated attacks.

🔒 Pro Insight

🔒 Pro insight: The use of QEMU for stealth operations signifies a concerning evolution in ransomware tactics, necessitating advanced detection mechanisms.

SCSC Media
Read Original

Share

Related Pings

Preview image for Trojanized TestDisk Installer - Illicit ScreenConnect Deployment
Malware & Ransomware
HIGH

Trojanized TestDisk Installer - Illicit ScreenConnect Deployment

A trojanized TestDisk installer is being used to deploy ScreenConnect, allowing attackers remote access. This poses a significant risk of data theft and unauthorized control. Stay vigilant against such threats.

SCSC Media
Read PingRead Source
Preview image for Nexcorium - New Mirai Variant Launches DDoS Attacks
Malware & Ransomware
HIGH

Nexcorium - New Mirai Variant Launches DDoS Attacks

The Nexcorium variant of Mirai malware is exploiting vulnerabilities in TBK DVRs and TP-Link routers for DDoS attacks, highlighting the risks associated with unpatched IoT devices.

SASecurity Affairs+1 more
Read PingRead Source
Preview image for Gentlemen Ransomware - SystemBC Powers New Bot Attacks
Malware & Ransomware
HIGH

Gentlemen Ransomware - SystemBC Powers New Bot Attacks

A new investigation reveals that the Gentlemen ransomware is leveraging a SystemBC botnet of over 1,570 hosts for sophisticated attacks. This shift indicates a growing threat to corporate environments.

BCBleepingComputer
Read PingRead Source
Preview image for North Korea's ClickFix Targets macOS Users' Data
Malware & Ransomware
HIGH

North Korea's ClickFix Targets macOS Users' Data

North Korea's Sapphire Sleet is using ClickFix malware to target macOS users through fake job offers and Zoom updates. This poses a serious risk to user credentials and sensitive data. Stay vigilant and protect your information.

DRDark Reading
Read PingRead Source
Preview image for Automotive Ransomware Attacks - Doubling Threats in 2025
Malware & Ransomware
HIGH

Automotive Ransomware Attacks - Doubling Threats in 2025

Ransomware attacks on automotive companies have surged, now representing 44% of cyber incidents. This trend highlights the vulnerabilities in the sector's technology reliance. Companies must enhance their defenses to combat this growing threat.

IMInfosecurity Magazine
Read PingRead Source
Preview image for Attackers Exploit DVR Command Injection Flaw to Deploy Mirai Botnet
Malware & Ransomware
HIGH

Attackers Exploit DVR Command Injection Flaw to Deploy Mirai Botnet

A new malware campaign exploits a vulnerability in DVRs to deploy a Mirai-based botnet. This affects various architectures and poses significant risks. Enterprises must enhance IoT security to prevent widespread infections.

IMInfosecurity Magazine
Read PingRead Source