STAC4713
STAC4713 is a financially motivated intrusion cluster first observed by Sophos in November 2025 and linked with high confidence to data theft and deployment of PayoutsKing ransomware. Sophos associates STAC4713 with the GOLD ENCOUNTER threat group. The campaign abuses QEMU to run hidden Alpine Linux 3.22.0 virtual machines on compromised hosts as a core defense-evasion and covert-access mechanism, making activity inside the guest largely invisible to host-based endpoint security tools. In STAC4713 intrusions, attackers create a scheduled task named TPMProfiler to launch qemu-system-x86_64.exe as SYSTEM, booting a virtual disk image disguised as files such as vault.db and later bisrv.dll. The VM establishes covert access via port forwarding from ports 32567 and 22022 to SSH port 22 and uses AdaptixC2 or OpenSSH to create a reverse SSH tunnel. Tools observed in the VM include AdaptixC2, Chisel, BusyBox, Rclone, wg-obfuscator, and Linker2/tinker2. Post-compromise activity included credential theft and Active Directory data collection, including use of vssuirun.exe to create shadow copies and the print command over SMB to copy NTDS.dit and the SAM and SYSTEM hives, as well as network share discovery and file access using legitimate tools such as Microsoft Paint, Notepad, Microsoft Edge, and WizTree. Reported initial access vectors for STAC4713 included exposed SonicWall VPNs without MFA and exploitation of SolarWinds Web Help Desk vulnerability CVE-2025-26399; later reporting also noted exposed Cisco SSL VPNs and social engineering via phishing, fake Microsoft Teams IT support, and Quick Assist. Sophos reported that from early 2026, GOLD ENCOUNTER shifted in some PayoutsKing-linked incidents away from QEMU-based covert access toward sideloading Havoc C2 via ADNotificationManager.exe and exfiltration with Rclone. PayoutsKing is described as a direct-operations ransomware actor rather than a ransomware-as-a-service model and is focused on hypervisor environments, with encryptors targeting VMware and ESXi. Known alias/sub-group relationship directly mentioned in the content: GOLD ENCOUNTER is the threat group associated with STAC4713; STAC4713 is linked to the PayoutsKing ransomware operation.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
12 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Threat activity cluster involved in ransomware attacks using AdaptixC2 and associated with PayoutsKing ransomware.
Attack campaign using hidden QEMU virtual machines as a core evasion method to conceal operations, harvest credentials, and stage ransomware deployments. The infection chain includes a scheduled task named “TPMProfiler,” QEMU execution under SYSTEM, disguised virtual disk images, port forwarding, reverse SSH tunnels, and an Alpine Linux VM loaded with attacker tooling.
Financially motivated campaign using QEMU virtual machines to conceal activity, maintain hidden access, steal credentials and data, and support deployment of PayoutsKing ransomware.
An activity cluster linked to the Payouts King operation that deploys hidden QEMU virtual machines, steals credentials, and uses multiple initial access vectors including exposed VPNs and social engineering.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.