A ransomware group that emerged from BlackBasta's collapse is concealing its malware inside a legitimate software layer that most security tools cannot see into, giving attackers an undetected foothold inside victim networks.

 

What happened

Payouts King, a ransomware group that researchers link to former BlackBasta affiliates, has been documented using a technique that hides malicious activity inside a virtual machine, a self-contained computer environment running inside a real computer, to avoid detection by security software. The tool it uses to create these virtual machines is QEMU, a legitimate open-source program that developers and IT teams normally use to simulate hardware and run isolated environments for testing. By running its malware inside a QEMU virtual machine rather than directly on the victim's system, Payouts King places its activity in a layer that most endpoint security tools cannot monitor. According to BleepingComputer, the group emerged in April 2025 following the leak of BlackBasta's internal chat logs and the group's subsequent collapse. Payouts King gains initial access using the same tactics BlackBasta made widespread: flooding a target's inbox with spam emails to create urgency, then contacting the target through Microsoft Teams while impersonating IT support, and convincing them to open Quick Assist, a legitimate Windows remote access tool that hands the attacker direct control of the device.

 

Going deeper

Once inside a victim's network, Payouts King installs a hidden remote access tool by using QEMU. The attackers place a backdoor inside this virtual machine, making it difficult for many security tools to detect because they typically monitor only the main operating system. According to Cyberpress, the ransomware also uses several techniques to avoid detection, including creating and decrypting commands only when needed in memory rather than storing them in readable form, disguising its use of built-in Windows functions, and checking for a specific identifier before running. It can also detect when it is being analyzed in a sandbox, a controlled environment used by security researchers to safely study malware, and alter its behavior to avoid detection. If the attackers gain long-term access, the ransomware creates temporary scheduled tasks, which are automated jobs run by Windows, then quickly deletes them after use to make the investigation more difficult. This process also helps it gain SYSTEM privileges, the highest level of access on a Windows computer.

 

What was said

Researchers stated in their analysis cited by BleepingComputer that Payouts King's use of QEMU represents a deliberate choice to weaponize legitimate virtualization infrastructure against security tooling, noting the technique exploits a fundamental gap between what endpoint security tools monitor on a host and what runs inside a virtual machine on that same host. Researchers also noted Payouts King's likely connection to former BlackBasta affiliates based on the near-identical initial access methodology, including the specific combination of email spam bombing, Microsoft Teams impersonation of IT support, and Quick Assist abuse documented in BlackBasta campaigns throughout 2024.

 

In the know

The use of QEMU as an attack tool is not entirely new, but its integration into a ransomware operation's core evasion architecture represents an escalation. According to BleepingComputer, researchers previously documented threat actors using QEMU micro VMs to create network tunnels between compromised machines, but Payouts King's implementation goes further by using the virtual machine as a persistent backdoor platform for ongoing command-and-control operations. The group's BlackBasta lineage also matters for healthcare, BlackBasta was responsible for the 2024 attack on Ascension Health that disrupted clinical operations across 140 hospitals and resulted in at least one documented patient safety incident.

 

The big picture

According to the FBI's 2025 Internet Crime Report, healthcare was the most targeted critical infrastructure sector with 460 ransomware attacks for the full year. With healthcare organizations relying on endpoint detection and response tools as their primary defense against ransomware, they face a specific gap when groups use virtual machine-based evasion. EDR tools monitor process behavior, file system changes, and network connections at the host operating system level. A malicious process running inside a QEMU virtual machine on that same host generates host-level activity that looks like a legitimate virtualization workload, not a threat. For healthcare IT teams that have invested heavily in EDR as the answer to ransomware, Payouts King's architecture is a direct challenge to that assumption.

 

FAQs

What is QEMU, and why does running malware inside it defeat endpoint security?

QEMU is a legitimate open-source hardware emulator used by developers and IT teams to run virtual machines. Endpoint security tools monitor activity at the host operating system level. Processes running inside a QEMU virtual machine operate in a separate, isolated environment that most endpoint tools cannot inspect, meaning malicious activity inside the VM is invisible to security software on the host.

 

How does the Microsoft Teams and Quick Assist initial access method work?

Attackers first flood the target's inbox with thousands of emails to create urgency, then contact the target via Microsoft Teams, impersonating IT support, offering to help resolve the email problem. When the target accepts a Teams call, the attacker asks them to open Quick Assist, a legitimate Windows remote access tool, which hands the attacker direct control of the device and a foothold on the network.

 

Why does requiring a command-line parameter before execution help avoid sandbox analysis?

Automated malware analysis sandboxes execute files and observe behavior. A ransomware sample that does nothing without a specific parameter passed at the command line produces no observable malicious behavior in a sandbox, causing it to be classified as benign. The parameter acts as a key that the attacker supplies in real attacks, but that sandbox analysis systems do not know how to provide.

 

What is the connection between Payouts King and BlackBasta?

Researchers link Payouts King to former BlackBasta affiliates based on the group's use of an almost identical initial access playbook spam bombing, followed by Microsoft Teams IT support impersonation and Quick Assist abuse, which BlackBasta pioneered and deployed extensively through 2024. Following the leak of BlackBasta's internal chat logs and the group's collapse, former affiliates migrated to new operations, including Payouts King.

 

What network-level controls help detect QEMU-based evasion?

Monitoring for unexpected QEMU process execution on workstations and servers that have no legitimate virtualization requirement flags anomalous deployments before they can establish persistence. Network traffic analysis that identifies unusual SSH tunneling patterns or unexpected outbound connections from hosts running QEMU processes provides a detection layer that does not depend on visibility inside the virtual machine itself.