CONSENSUS WIRE
← Back to Crime & Security

Ransomware Group Payouts King Deploys QEMU Virtual Machines to Evade Security Defenses

Crime & SecurityAI-Generated & Algorithmically Scored·

AI-generated from multiple sources. Verify before acting on this reporting.

LONDON (AP) — The Payouts King ransomware group has adopted a new technique to bypass endpoint security solutions, utilizing QEMU virtual machines to establish covert remote access tunnels on compromised systems.

Security researchers identified the method on April 17, 2026, noting that the group is leveraging the open-source emulator to execute payloads and store malicious files without triggering traditional detection mechanisms. The technique allows attackers to create isolated environments within victim networks, effectively shielding their operations from standard security monitoring tools.

Payouts King, a known ransomware-as-a-service operation, has been linked to the GOLD ENCOUNTER threat group and former affiliates of the BlackBasta campaign. The group’s shift toward QEMU-based evasion marks a significant evolution in their operational tactics, moving beyond standard encryption and data exfiltration methods.

By embedding QEMU virtual machines within compromised systems, Payouts King can maintain persistent access while avoiding detection by endpoint protection platforms. The virtual machines act as a sandboxed layer, allowing the group to run malicious code in a controlled environment that mimics legitimate system behavior. This approach complicates forensic analysis and delays incident response efforts.

The technique has been observed across multiple global targets, though no specific countries or industries have been publicly identified. Experts warn that the use of QEMU in this context represents a growing trend among advanced threat actors seeking to outpace defensive measures.

Payouts King’s adoption of QEMU aligns with broader patterns seen in recent ransomware campaigns, where attackers increasingly rely on virtualization to mask their activities. The group’s ability to deploy these virtual machines suggests a high level of technical sophistication and access to specialized tools.

Cybersecurity firms are urging organizations to update their detection rules and monitor for unusual virtualization activity. The emergence of QEMU-based attacks underscores the need for enhanced visibility into system processes and memory usage.

As of now, no major organizations have publicly confirmed incidents involving this specific technique. However, the potential for widespread adoption remains a concern among security professionals. The group’s continued evolution poses challenges for defenders attempting to stay ahead of emerging threats.

The full scope of Payouts King’s operations using QEMU remains unclear. Investigators are working to determine how many systems have been compromised and whether the technique has been shared with other threat actors. Further analysis is expected to reveal additional details about the group’s infrastructure and targeting strategy.

With ransomware groups continuously refining their methods, the cybersecurity community faces an ongoing battle to adapt to new evasion techniques. The deployment of QEMU by Payouts King highlights the dynamic nature of modern cyber threats and the importance of proactive defense strategies.