Payouts King
Payouts King is a ransomware family/group first observed in April 2025, with increased activity reported in early 2026. Multiple reports link it with high confidence to former BlackBasta affiliates, and some reporting associates the operation with the GOLD ENCOUNTER threat group. Its intrusion tradecraft overlaps with BlackBasta, including spam bombing, Microsoft Teams social engineering in which operators impersonate IT staff, and abuse of Quick Assist for remote access. Additional initial access observed in reporting includes exposed SonicWall VPNs, Cisco SSL VPNs, exploitation of SolarWinds Web Help Desk CVE-2025-26399, and broader vulnerability abuse; one related campaign also used CitrixBleed 2 (CVE-2025-5777) against NetScaler ADC/Gateway.
After access is established, operators deploy malware to gain a foothold, attempt privilege escalation, steal large volumes of sensitive data, and selectively encrypt files. Payouts King supports persistence and elevation through scheduled tasks, including tasks masquerading under Mozilla paths and, in one Sophos-tracked intrusion, a SYSTEM-level task named TPMProfiler used to launch a hidden QEMU virtual machine. The malware and associated intrusions emphasize defense evasion: runtime/stack-based string decryption, API resolution by hash, custom checksum/CRC-based obfuscation, direct system calls resolved from ntdll exports to bypass EDR hooks, and process termination logic targeting a hardcoded list of 131 AV/EDR-related processes. Post-encryption cleanup includes deleting shadow copies, clearing Windows event logs, and emptying the recycle bin.
A notable tradecraft feature associated with Payouts King is abuse of QEMU to run hidden Alpine Linux virtual machines on compromised hosts. Reporting states the operators used QEMU as a reverse SSH backdoor and covert execution environment, with disguised virtual disk files, port forwarding, and outbound SSH tunneling. Tools observed in these hidden VMs or related activity include AdaptixC2, Chisel, BusyBox, Rclone, Havoc, ScreenConnect, and manually compiled post-exploitation tooling such as Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit. Observed objectives included credential harvesting, Active Directory reconnaissance, copying NTDS.dit/SAM/SYSTEM hives, and staging/exfiltrating data to SFTP or FTP destinations.
For encryption, Payouts King uses AES-256 in CTR mode with RSA-4096 protection for per-file encryption material, reportedly via a statically linked OpenSSL library. Files smaller than roughly 10 MB are fully encrypted; larger files are partially encrypted in 13 blocks to improve speed. Encrypted files are renamed with the .ZWIAAW extension. The ransom note is readme_locker.txt, and reporting states it is written when the -note parameter is supplied. The note directs victims to contact the operators via TOX and references a Tor-based dark web leak site used to pressure victims with publication of stolen data. Reported SHA-256 samples include 335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4 and d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The second campaign exploits the CitrixBleed 2 vulnerability to gain access, subsequently deploying a QEMU VM with manually installed tools for reconnaissance and data staging.
The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A new ransomware group known as Payouts King has quietly been building a reputation since it first appeared in April 2025.
The Payouts King ransomware, associated with a threat actor group (GOLD ENCOUNTER, with links to former BlackBasta affiliates), demonstrates a clear advancement toward virtualization-based evasion and covert execution strategies.
A relatively unknown ransomware group called Payouts King has emerged as a serious cybersecurity threat... Once a foothold is established on the victim’s network, Payouts King deploys its ransomware payload, steals large volumes of sensitive data, and then selectively encrypts files.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueThe technique of spam bombing combined with phishing and vishing continues to be an effective technique...
Initial Access
3 techniquesThe Payouts King ransomware... exhibits maturity through diverse initial access methods (including VPN exploitation, social engineering via Microsoft Teams, and vulnerability abuse)...
The technique of spam bombing combined with phishing and vishing continues to be an effective technique...
The Payouts King ransomware... exhibits maturity through diverse initial access methods (including VPN exploitation, social engineering via Microsoft Teams, and vulnerability abuse)...
Execution
3 techniquesIf the -nopersist parameter is not passed on the command-line, persistence is established using scheduled tasks... If the -noelevate parameter is not specified, Payouts King will schedule another task to elevate privileges and run as the SYSTEM user...
The code then calls CreateProcess to launch cmd.exe without any arguments and redirects standard input and output to one end of the pipe. The ransomware code then writes the commands to the other end of the cmd.exe pipe...
However, instead of using standard Windows API calls, the ransomware uses low-level direct system calls to evade antivirus and EDR hooks.
Persistence
3 techniquesIf the -nopersist parameter is not passed on the command-line, persistence is established using scheduled tasks... If the -noelevate parameter is not specified, Payouts King will schedule another task to elevate privileges and run as the SYSTEM user...
The Payouts King ransomware... exhibits maturity through diverse initial access methods (including VPN exploitation, social engineering via Microsoft Teams, and vulnerability abuse)...
Privilege Escalation
2 techniquesIf the -nopersist parameter is not passed on the command-line, persistence is established using scheduled tasks... If the -noelevate parameter is not specified, Payouts King will schedule another task to elevate privileges and run as the SYSTEM user...
Stealth
6 techniquesIt builds and decrypts strings on the fly rather than storing them as readable text, making static analysis much harder.
It also resolves Windows functions using hash values instead of plain names, and applies a custom checksum algorithm with a unique seed per value, defeating tools that rely on pre-built hash tables to identify malware.
It attempts to gain full system-level privileges, deletes Windows shadow copies to block recovery, clears event logs to slow forensic investigations, and empties the recycle bin before starting encryption.
It attempts to gain full system-level privileges, deletes Windows shadow copies to block recovery, clears event logs to slow forensic investigations, and empties the recycle bin before starting encryption.
When a file cannot be opened for encryption since a security tool has locked it, the ransomware scans all running processes and checks them against a list of 131 known antivirus and endpoint detection software processes. | the ransom note named readme_locker.txt is only dropped when a specific command-line flag is provided at runtime, making automated sandbox analysis considerably harder.
Credential Access
2 techniquesThis is complemented by the use of Cobalt Strike, Mimikatz...
The campaign also exhibits maturity through diverse initial access methods ... and extensive post-compromise activity, such as credential extraction (e.g., NTDS.dit)...
Discovery
5 techniques...extensive post-compromise activity, such as credential extraction (e.g., NTDS.dit), Active Directory reconnaissance, and controlled data exfiltration.
If opening fails due to an error code 32 (ERROR_SHARING_VIOLATION), the ransomware will enumerate the running processes and compute a checksum value for each process name...
The following files are not encrypted... The following directories are also skipped... After the content of a file is encrypted, the file is renamed...
When a file cannot be opened for encryption since a security tool has locked it, the ransomware scans all running processes and checks them against a list of 131 known antivirus and endpoint detection software processes. | the ransom note named readme_locker.txt is only dropped when a specific command-line flag is provided at runtime, making automated sandbox analysis considerably harder.
Lateral Movement
1 techniqueThey then impersonate an IT support employee, reaching out via Microsoft Teams and convincing the victim to initiate a Quick Assist session. Once access is granted, the attacker drops malware on the system, quietly establishing a foothold inside the organization’s network.
Command and Control
1 techniqueThe victim is instructed to join a Microsoft Teams call and initiate Quick Assist. If the victim falls for the ruse, the threat actor deploys malware onto the victim’s system...
Exfiltration
2 techniques...extensive post-compromise activity, such as credential extraction (e.g., NTDS.dit), Active Directory reconnaissance, and controlled data exfiltration.
The group targets organizations through well-worn but effective tactics, stealing large volumes of sensitive data before selectively encrypting files on compromised systems.
Impact
2 techniquesThe group targets organizations through well-worn but effective tactics, stealing large volumes of sensitive data before selectively encrypting files on compromised systems.
The group also operates a dark web data leak site, adding pressure on victims to pay by threatening to publish stolen information.
Other
2 techniquesIOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware that steals sensitive data before selectively encrypting files on compromised systems. It uses strong encryption (RSA-4096 and AES-256-CTR), deletes shadow copies, clears event logs, evades EDR through direct system calls and hashed API resolution, and pressures victims via a dark web leak site.
Ransomware using QEMU-based virtual machines for covert execution, intermittent encryption with AES-CTR + RSA-4096, and enterprise-focused post-compromise activity including credential extraction and data exfiltration.
Ransomware selectively deployed in new attacks by former BlackBasta initial access brokers, alongside large-scale data theft.
Ransomware that conducts double-extortion operations by stealing sensitive data and selectively encrypting files. It uses RSA-4096 and AES-256-CTR encryption, partial encryption for large files, anti-analysis and anti-sandbox techniques, direct system calls to terminate security tools, and post-encryption cleanup such as deleting shadow copies and wiping event logs.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.