PayoutsKing

PayoutsKing is a double-extortion ransomware operation linked in the provided reporting to the GOLD ENCOUNTER threat group. The malware operation steals victim data and encrypts files before demanding payment, and the reporting states it is not operated as a ransomware-as-a-service model and does not rely on affiliates. Sophos-linked activity ties PayoutsKing to the STAC4713 campaign, first observed in November 2025, in which attackers abused hidden QEMU virtual machines to evade host-based security controls, maintain covert access, harvest credentials, exfiltrate data, and ultimately deploy ransomware. The campaign used a scheduled task named TPMProfiler to launch qemu-system-x86_64.exe as SYSTEM, booting disguised virtual disk images such as vault.db and later bisrv.dll, with port forwarding from 32567 and 22022 to SSH and reverse SSH tunnels established via AdaptixC2 or OpenSSH. Reporting states the hidden VM used Alpine Linux 3.22.0 and contained tooling including Linker2, AdaptixC2, wg-obfuscator, BusyBox, Chisel, and Rclone. Initial access associated with PayoutsKing activity included exposed Cisco or SonicWall SSL VPN devices, exposed VPN systems lacking MFA, exploitation of SolarWinds Web Help Desk vulnerability CVE-2025-26399, and email-bombing followed by Microsoft Teams vishing. Post-compromise behavior associated with the operators included use of QuickAssist and SuperOps for remote access, Havoc C2 via DLL sideloading, SSH backdoors via AdaptixC2 or OpenSSH, credential harvesting including copying NTDS.dit, SAM, and SYSTEM hives over SMB, attempted AV/EDR disabling via BYOVD, and data exfiltration using WinSCP and Rclone to remote SFTP infrastructure. The content further states that PayoutsKing focuses on hypervisor environments and has developed encryptors for VMware and ESXi systems.