Skip to content
Ransomware group

Payouts King

Payouts King is a ransomware family/group first observed in April 2025, with increased activity reported in early 2026.

Profile source: Mallory opens in a new tab

Payouts King

Family profile

Payouts King is a ransomware family/group first observed in April 2025, with increased activity reported in early 2026. Multiple reports link it with high confidence to former BlackBasta affiliates, and some reporting associates the operation with the GOLD ENCOUNTER threat group. Its intrusion tradecraft overlaps with BlackBasta, including spam bombing, Microsoft Teams social engineering in which operators impersonate IT staff, and abuse of Quick Assist for remote access. Additional initial access observed in reporting includes exposed SonicWall VPNs, Cisco SSL VPNs, exploitation of SolarWinds Web Help Desk CVE-2025-26399, and broader vulnerability abuse; one related campaign also used CitrixBleed 2 (CVE-2025-5777) against NetScaler ADC/Gateway.

After access is established, operators deploy malware to gain a foothold, attempt privilege escalation, steal large volumes of sensitive data, and selectively encrypt files. Payouts King supports persistence and elevation through scheduled tasks, including tasks masquerading under Mozilla paths and, in one Sophos-tracked intrusion, a SYSTEM-level task named TPMProfiler used to launch a hidden QEMU virtual machine. The malware and associated intrusions emphasize defense evasion: runtime/stack-based string decryption, API resolution by hash, custom checksum/CRC-based obfuscation, direct system calls resolved from ntdll exports to bypass EDR hooks, and process termination logic targeting a hardcoded list of 131 AV/EDR-related processes. Post-encryption cleanup includes deleting shadow copies, clearing Windows event logs, and emptying the recycle bin.

A notable tradecraft feature associated with Payouts King is abuse of QEMU to run hidden Alpine Linux virtual machines on compromised hosts. Reporting states the operators used QEMU as a reverse SSH backdoor and covert execution environment, with disguised virtual disk files, port forwarding, and outbound SSH tunneling. Tools observed in these hidden VMs or related activity include AdaptixC2, Chisel, BusyBox, Rclone, Havoc, ScreenConnect, and manually compiled post-exploitation tooling such as Impacket, KrbRelayx, Coercer, BloodHound.py, NetExec, Kerbrute, and Metasploit. Observed objectives included credential harvesting, Active Directory reconnaissance, copying NTDS.dit/SAM/SYSTEM hives, and staging/exfiltrating data to SFTP or FTP destinations.

For encryption, Payouts King uses AES-256 in CTR mode with RSA-4096 protection for per-file encryption material, reportedly via a statically linked OpenSSL library. Files smaller than roughly 10 MB are fully encrypted; larger files are partially encrypted in 13 blocks to improve speed. Encrypted files are renamed with the .ZWIAAW extension. The ransom note is readme_locker.txt, and reporting states it is written when the -note parameter is supplied. The note directs victims to contact the operators via TOX and references a Tor-based dark web leak site used to pressure victims with publication of stolen data. Reported SHA-256 samples include 335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4 and d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Tox

1 total
  • 535F403A2EA2DC71A392E18D7DB77FEF70845C0B7E5B9114CD30D301870304379C3547E324E2

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

3 named in public reporting
Payouts King

A new ransomware group known as Payouts King has quietly been building a reputation since it first appeared in April 2025.

GOLD ENCOUNTER

The Payouts King ransomware, associated with a threat actor group (GOLD ENCOUNTER, with links to former BlackBasta affiliates), demonstrates a clear advancement toward virtualization-based evasion and covert execution strategies.

Black Basta

A relatively unknown ransomware group called Payouts King has emerged as a serious cybersecurity threat... Once a foothold is established on the victim’s network, Payouts King deploys its ransomware payload, steals large volumes of sensitive data, and then selectively encrypts files.

Exploited software

Vulnerabilities linked to Payouts King

2 CVEs

MITRE ATT&CK

Payouts King in ATT&CK

27 distinct techniques

Reporting

Research mentioning Payouts King

Jun 4
Cyber Security News

Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls

A new ransomware group known as Payouts King has quietly been building a reputation since it first appeared in April 2025.

May 15
Cyfirma Other

TRACKING RANSOMWARE : APRIL 2026 - CYFIRMA

The Payouts King ransomware, associated with a threat actor group (GOLD ENCOUNTER, with links to former BlackBasta affiliates), demonstrates a clear advancement toward virtualization-based evasion and covert execution strategies.

Apr 18
Blueteamsec

Payouts King Takes Aim at the Ransomware Throne | ThreatLabz - Infosec.Pub

Former BlackBasta initial access brokers are conducting new attacks; stealing large amounts of data, and selectively deploying Payouts King ransomware.

Apr 17
Cyber Security News

Payouts King Rises as New Ransomware Threat Linked to Former BlackBasta Affiliates

A relatively unknown ransomware group called Payouts King has emerged as a serious cybersecurity threat... Once a foothold is established on the victim’s network, Payouts King deploys its ransomware payload, steals large volumes of sensitive data, and then selectively encrypts files.

Apr 17
Bleeping Computer

Payouts King ransomware uses QEMU VMs to bypass endpoint security

The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security.

Apr 16
Zscaler Threat Labz

Payouts King Takes Aim at the Ransomware Throne | ThreatLabz

ThreatLabz has been able to attribute some of these attacks to Payouts King ransomware, a group that until now has largely remained under the radar over the last year.

Apr 5
Data Breaches

How often do threat actors default on promises to delete data? - DataBreaches.Net

In our experience, Akira, DragonForce, Inc Ransomware, Qilin Ransomware, Payouts King, and The Gentlemen have kept their word about deleting data and have not attempted to re-extort our clients after our clients paid them.

Dec 9
Dragos

Dragos Industrial Ransomware Analysis: Q3 2025 | Dragos

“Payouts King… recorded 10–13 incidents…”

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.