Payouts King ransomware uses QEMU VMs to bypass endpoint security.

Payouts King ransomware uses QEMU VMs to bypass endpoint security.

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Payouts King ransomware uses QEMU VMs to bypass endpoint security.

Information

   QEMU or Quick Emulator is a virtualized computing environment created within a physical computer using QEMU, a software tool capable of both hardware emulation and virtualization. In essence, QEMU allows a system to simulate an entirely separate computer within the same physical device.

   Inside this virtual machine, users can install and run operating systems such as Linux or Windows just as they would on a physical machine. The guest operating system runs independently from the host system, ensuring that processes within the VM do not directly interfere with the main environment.

Incident

  A recent report by BleepingComputer highlights a concerning evolution in ransomware tactics, as the Payouts King group adopts virtualization-based evasion techniques to bypass endpoint security controls. By leveraging the open-source emulator QEMU, attackers deploy hidden virtual machines (VMs) directly on compromised systems, creating an isolated execution environment for malicious operations.

   This approach allows threat actors to run their payloads, command-and-control (C2) communications, and data exfiltration activities entirely within the VM, effectively shielding them from host-based security tools such as EDR and antivirus solutions. Because these defenses typically lack deep visibility into virtualized environments running locally, the attackers can operate with minimal risk of detection over extended periods.

Picture 1 Payouts King ransomware extortion portal.

Incident

  The attack chain often begins with initial access through vulnerabilities in enterprise infrastructure, including VPN appliances and remote management tools, or through social engineering campaigns targeting employees. Once inside, the attackers install QEMU and deploy lightweight Linux-based virtual machines, commonly using Alpine Linux, preloaded with a suite of offensive tools such as tunneling utilities, remote access frameworks, and data harvesting scripts.

  A key component of this technique is the use of reverse SSH tunneling, which enables the VM to establish outbound connections to attacker-controlled servers, allowing remote control without requiring inbound connections that could raise suspicion. Additionally, attackers create scheduled tasks to ensure the VM is executed with SYSTEM-level privileges, maintaining persistence and resilience against system reboots or user intervention.

  Following successful deployment, attackers escalate privileges and access sensitive system data, including credential stores like NTDS.dit and SAM databases. The stolen data is then exfiltrated, after which the ransomware payload is executed to encrypt files using strong cryptographic algorithms such as AES-256 and RSA-4096, culminating in ransom demands.

Recommendation

  1. Detect and alert on the installation or execution of virtualization tools like QEMU on endpoints where such tools are not expected.
  2. Monitor for unusual outbound connections, especially reverse SSH tunnels or connections to unknown external servers. Analyze anomalies in ports, protocols, and traffic patterns.
  3. Monitor for unauthorized scheduled tasks, services, or registry changes that could indicate persistence

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
065 725 7405 (Ms.Donraya)

References

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2026-33105

 02/04/2026

06/04/2026

Microsoft Azure Kubernetes

Elevation of Privilege

10.0

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

The vulnerability documented by this CVE requires no customer action to resolve

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33105

 

 
2

CVE-2026-40175

10/04/2026

10/04/2026

Axios

Execute code

10.0

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0.

This vulnerability is fixed in version 1.15.0.

https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx

 
3

CVE-2026-5731

07/04/2026

07/04/2026

Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2

Memory Corruption

9.8

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2, Firefox ESR < 115.34.1, Firefox ESR < 140.9.1, Thunderbird < 149.0.2, and Thunderbird < 140.9.1.

Update to Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2 and Thunderbird 149.0.2

https://www.cvedetails.com/cve/CVE-2026-5731/

 
 4

CVE-2026-25203

09/04/2026

13/04/2026

Samsung MagicINFO 9

Privilege Escalation

7.8

Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability This issue affects MagicINFO 9 Server: less than 21.1091.1.

Update to Samsung MagicINFO 9 Server 21.1091.1

https://nvd.nist.gov/vuln/detail/CVE-2026-25203
5

CVE-2026-5893

08/04/2026

13/04/2026

Google Chrome prior to 147.0.7727.55

Heap corruption

6.8

Race in V8 in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Update to Google Chrome 147.0.7727.55

https://nvd.nist.gov/vuln/detail/CVE-2026-5893

 

 

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

Android banking trojan linked to forced labor scam compounds​

13/04/2026

Malware, Security Operations, Threat Intelligence​

 A report by Infoblox Threat Intel, cited by HackRead, reveals links between Southeast Asian scam operations using forced labor and an Android banking trojan targeting users in 21 countries.​

          Research conducted with Chong Lua Dao found that trafficked victims are forced to support malware distribution by creating fake domains and luring users into installing malicious apps disguised as legitimate tools. Once installed, the malware can intercept SMS messages, bypass biometric authentication, and hijack financial transactions.​

          The operation is run as a malware-as-a-service model, with infrastructure tied to locations such as K99 Triumph City, where victims are made to carry out phishing campaigns and assist in malware deployment.​
  • Install applications only from trusted source​
  • Keep systems and applications up to date​
  • Strengthen user security awareness​

Ref:https://www.scworld.com/brief/android-banking-trojan-linked-to-forced-labor-scam-compounds

22 April 2026

Viewed 59 time

Engine by shopup.com