Sophos has published new details on two intrusion sets tied to the Payouts King ransomware operation that are running full Alpine Linux virtual machines inside QEMU on victim Windows hosts to tunnel command-and-control traffic past endpoint security. Both campaigns show up squarely in infrastructure: one rides compromised NetScaler appliances via CitrixBleed 2, the other lands via social-engineering and lives on under a scheduled task that boots a VM as SYSTEM. If your EDR is watching processes on the host, it is not watching what is running inside the guest — and that is the entire point.

The two campaigns

Sophos tracks the intrusions as STAC4713 and STAC3725. STAC4713 was first observed in November 2025 and is attributed to GOLD ENCOUNTER, a crew previously known for VMware/ESXi encryption work and now deploying the Payouts King locker. STAC3725 has been active since February 2026 and uses CitrixBleed 2 (CVE-2025-5777) against exposed NetScaler ADC and Gateway instances for initial access.

Payouts King itself emerged publicly in April 2025 and is widely believed to be run by former Black Basta affiliates. The initial-access playbook is a direct reuse of Black Basta tradecraft: email spam-bombing, Microsoft Teams impersonation of IT staff, and abuse of Microsoft Quick Assist to seed the first remote-control session. A February intrusion attributed to GOLD ENCOUNTER instead reused an exposed Cisco SSL VPN. The locker uses RSA + AES-256 with stack-based string obfuscation, API/string hashing, and direct syscalls for process termination, plus partial block-based encryption (13 blocks, half encrypted) for large files to speed up throughput.

How the QEMU VM pivots work

Once the operator has a foothold — Quick Assist session, ScreenConnect installed, or NetScaler RCE — they drop a QEMU package and launch it under a scheduled task named TPMProfiler running as SYSTEM. The qcow2 disk images are disguised as database and DLL files on disk. Inside the VM: Alpine Linux 3.22.0 pre-loaded with AdaptixC2, Chisel, BusyBox, and Rclone for staging and exfil. QEMU’s usermode networking is configured with port forwarding so the guest can hairpin a reverse SSH tunnel back out through the host, giving the operator interactive access to the network from a process tree the EDR cannot introspect.

In STAC3725 the post-access pattern is noisier but equally deliberate. After hitting NetScaler, attackers drop a ZIP that installs a service called AppMgmt, creates a local admin CtxAppVCOMService, and stands up a ScreenConnect client for persistence. Rather than shipping a canned toolkit, they manually install and compile Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit inside the guest VM — again outside the reach of host-based EDR.

Impact

The evasion model is the story. EDR agents can see a qemu-system-x86_64.exe process, but they cannot inspect the guest filesystem, memory, or network stack. Defenders who trust process allowlists, hash-based detections, or behavioral telemetry scoped to the host process tree will miss the actual C2, lateral movement, and exfil traffic entirely. Any organization running NetScaler ADC/Gateway that has not patched CitrixBleed 2 should assume exposure. Mature Quick Assist and ScreenConnect hygiene is also load-bearing: both are legitimate tools that dual-purpose as Payouts King landing pads.

What to do now

Patch NetScaler ADC and Gateway against CVE-2025-5777 — CitrixBleed 2 is being actively chained into STAC3725 intrusions. Audit for unauthorized QEMU binaries and qcow2/qcow artifacts on servers, especially any file extension masquerading (DB, DLL). Hunt for scheduled tasks running as SYSTEM that launch emulators or interpreters — Sophos flags TPMProfiler explicitly, but the name will rotate. Alert on SSH port forwarding and outbound SSH tunnels on non-standard ports from Windows hosts; a Windows server rarely has a legitimate reason to be a reverse-SSH client. Review Quick Assist and ScreenConnect usage policies, and consider blocking Quick Assist outright in environments where it is not used for helpdesk. For Teams, enforce external federation controls so a spoofed “IT” account cannot start a chat with staff.

If you spot the pattern post-hoc, treat the host as fully compromised: the VM likely had domain credentials, Kerberos tickets, and exfiltrated data that never touched a host-level detection. Reset affected credentials, rotate service accounts, and review BloodHound-style attack paths that may have been enumerated from inside the guest.

References

  • Sophos X-Ops writeup on STAC4713 / STAC3725 (via Bleeping Computer)
  • Zscaler ThreatLabz, Payouts King Takes Aim at the Ransomware Throne
  • NetScaler CitrixBleed 2 advisory — CVE-2025-5777