Payouts King ransomware uses QEMU VMs to bypass endpoint security

📅 28 April 2026 at 10:35 UTC📰 Bleeping ComputerView original source ↗

The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security. [...]

🤖 AI BriefingAuto-generated threat analysis

🔍Threat Overview

Payouts King ransomware is using QEMU VMs to bypass endpoint security, exploiting vulnerabilities in NetScaler ADC and Gateway instances (CVE-2025-26399) and SolarWinds Web Help Desk (CVE-2025-26399), targeting hypervisors and encryptors for VMware and ESXi environments.

⚙️Technical Details

Affected Systems

NetScaler ADC and Gateway instancesSolarWinds Web Help DeskVMware and ESXi environments

Attack Vectors

NetworkUnauthenticated AjaxProxy deserialization remote code execution vulnerability

💥Impact Assessment

Severity: Critical

Who Is at Risk

Organizations with NetScaler ADC and Gateway instances, SolarWinds Web Help Desk, and VMware and ESXi environments

🛡️Recommended Actions

1Monitor for unauthorized QEMU installations and suspicious scheduled tasks running with SYSTEM privileges

2Check for outbound SSH tunnels on non-standard ports

3Apply patches for CVE-2025-26399 and CVE-2024-28988 to SolarWinds Web Help Desk

📦Affected Products

Solarwinds Web Help DeskNetScaler ADC and Gateway instancesSolarWinds Web Help Desk

🔐NVD Verified DataVERIFIED

CVE-2025-26399 ↗CVSS 9.8 — CRITICAL

Attack Vector

NETWORK

Complexity

LOW

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE-502

Affected Products (CPE)

Solarwinds Web Help Desk

Patches & References

🔧 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-2…📋 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-2…

Read the full article

This is a curated summary. The complete article is available at Bleeping Computer.

Read on Bleeping Computer ↗

← Back to feed