Tox
1 total535F403A2EA2DC71A392E18D7DB77FEF70845C0B7E5B9114CD30D301870304379C3547E324E2
Payouts King is a ransomware family/group first observed in April 2025, with increased activity reported in early 2026.
Profile source: Mallory opens in a new tabPayouts King
Payouts King is a ransomware family/group first observed in April 2025, with increased activity reported in early 2026. Multiple reports link it with high confidence to former BlackBasta affiliates, and some reporting associates the operation with the GOLD ENCOUNTER threat group. Its intrusion tradecraft overlaps with BlackBasta, including spam bombing, Microsoft Teams social engineering in which operators impersonate IT staff, and abuse of Quick Assist for remote access. Additional initial access observed in reporting includes exposed SonicWall VPNs, Cisco SSL VPNs, exploitation of SolarWinds Web Help Desk CVE-2025-26399, and broader vulnerability abuse; one related campaign also used CitrixBleed 2 (CVE-2025-5777) against NetScaler ADC/Gateway.
After access is established, operators deploy malware to gain a foothold, attempt privilege escalation, steal large volumes of sensitive data, and selectively encrypt files. Payouts King supports persistence and elevation through scheduled tasks, including tasks masquerading under Mozilla paths and, in one Sophos-tracked intrusion, a SYSTEM-level task named TPMProfiler used to launch a hidden QEMU virtual machine. The malware and associated intrusions emphasize defense evasion: runtime/stack-based string decryption, API resolution by hash, custom checksum/CRC-based obfuscation, direct system calls resolved from ntdll exports to bypass EDR hooks, and process termination logic targeting a hardcoded list of 131 AV/EDR-related processes. Post-encryption cleanup includes deleting shadow copies, clearing Windows event logs, and emptying the recycle bin.
A notable tradecraft feature associated with Payouts King is abuse of QEMU to run hidden Alpine Linux virtual machines on compromised hosts. Reporting states the operators used QEMU as a reverse SSH backdoor and covert execution environment, with disguised virtual disk files, port forwarding, and outbound SSH tunneling. Tools observed in these hidden VMs or related activity include AdaptixC2, Chisel, BusyBox, Rclone, Havoc, ScreenConnect, and manually compiled post-exploitation tooling such as Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit. Observed objectives included credential harvesting, Active Directory reconnaissance, copying NTDS.dit/SAM/SYSTEM hives, and staging/exfiltrating data to SFTP or FTP destinations.
For encryption, Payouts King uses AES-256 in CTR mode with RSA-4096 protection for per-file encryption material, reportedly via a statically linked OpenSSL library. Files smaller than roughly 10 MB are fully encrypted; larger files are partially encrypted in 13 blocks to improve speed. Encrypted files are renamed with the .ZWIAAW extension. The ransom note is readme_locker.txt, and reporting states it is written when the -note parameter is supplied. The note directs victims to contact the operators via TOX and references a Tor-based dark web leak site used to pressure victims with publication of stolen data. Reported SHA-256 samples include 335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4 and d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2.
Ransomware.live
Ransomware.live
535F403A2EA2DC71A392E18D7DB77FEF70845C0B7E5B9114CD30D301870304379C3547E324E2Ransomware.live
Reported operators
A new ransomware group known as Payouts King has quietly been building a reputation since it first appeared in April 2025.
The Payouts King ransomware, associated with a threat actor group (GOLD ENCOUNTER, with links to former BlackBasta affiliates), demonstrates a clear advancement toward virtualization-based evasion and covert execution strategies.
A relatively unknown ransomware group called Payouts King has emerged as a serious cybersecurity threat... Once a foothold is established on the victim’s network, Payouts King deploys its ransomware payload, steals large volumes of sensitive data, and then selectively encrypts files.
Exploited software
MITRE ATT&CK
Reporting
A new ransomware group known as Payouts King has quietly been building a reputation since it first appeared in April 2025.
The Payouts King ransomware, associated with a threat actor group (GOLD ENCOUNTER, with links to former BlackBasta affiliates), demonstrates a clear advancement toward virtualization-based evasion and covert execution strategies.
Former BlackBasta initial access brokers are conducting new attacks; stealing large amounts of data, and selectively deploying Payouts King ransomware.
A relatively unknown ransomware group called Payouts King has emerged as a serious cybersecurity threat... Once a foothold is established on the victim’s network, Payouts King deploys its ransomware payload, steals large volumes of sensitive data, and then selectively encrypts files.
The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security.
ThreatLabz has been able to attribute some of these attacks to Payouts King ransomware, a group that until now has largely remained under the radar over the last year.
In our experience, Akira, DragonForce, Inc Ransomware, Qilin Ransomware, Payouts King, and The Gentlemen have kept their word about deleting data and have not attempted to re-extort our clients after our clients paid them.
“Payouts King… recorded 10–13 incidents…”
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.