Sophos observed the attackers creating a volume shadow copy snapshot, copying the Active Directory database and the SAM and SYSTEM hives to temporary folders, and performing network share discovery and file access using native Windows tools.The cybersecurity firm attributes the attacks to Gold Encounter, a closed hacking group operating the PayoutsKing ransomware. The gang is known to target VMware and ESXi environments for encryption.In February 2026, Sophos observed a second campaign abusing QEMU. Tracked as STAC3725, it has been relying on the exploitation ofCVE-2025-5777(the infamous CitrixBleed2 bug) for initial access and on a malicious ScreenConnect client to achieve persistence.Following the NetScaler exploitation, the attackers created a start service, installed the remote access tool to retrieve QEMU and a virtual disk image, and manually executed the attack within the VM.The hackers were observed deploying roughly a dozen tools and libraries, harvesting credentials, enumerating Kerberos usernames, performing Active Directory reconnaissance, staging payloads, and exfiltrating data.“Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos notes.Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.Related:Next.js Creator Vercel HackedRelated:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
The cybersecurity firm attributes the attacks to Gold Encounter, a closed hacking group operating the PayoutsKing ransomware. The gang is known to target VMware and ESXi environments for encryption.In February 2026, Sophos observed a second campaign abusing QEMU. Tracked as STAC3725, it has been relying on the exploitation ofCVE-2025-5777(the infamous CitrixBleed2 bug) for initial access and on a malicious ScreenConnect client to achieve persistence.Following the NetScaler exploitation, the attackers created a start service, installed the remote access tool to retrieve QEMU and a virtual disk image, and manually executed the attack within the VM.The hackers were observed deploying roughly a dozen tools and libraries, harvesting credentials, enumerating Kerberos usernames, performing Active Directory reconnaissance, staging payloads, and exfiltrating data.“Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos notes.Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.Related:Next.js Creator Vercel HackedRelated:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
In February 2026, Sophos observed a second campaign abusing QEMU. Tracked as STAC3725, it has been relying on the exploitation ofCVE-2025-5777(the infamous CitrixBleed2 bug) for initial access and on a malicious ScreenConnect client to achieve persistence.Following the NetScaler exploitation, the attackers created a start service, installed the remote access tool to retrieve QEMU and a virtual disk image, and manually executed the attack within the VM.The hackers were observed deploying roughly a dozen tools and libraries, harvesting credentials, enumerating Kerberos usernames, performing Active Directory reconnaissance, staging payloads, and exfiltrating data.“Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos notes.Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.Related:Next.js Creator Vercel HackedRelated:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
Following the NetScaler exploitation, the attackers created a start service, installed the remote access tool to retrieve QEMU and a virtual disk image, and manually executed the attack within the VM.The hackers were observed deploying roughly a dozen tools and libraries, harvesting credentials, enumerating Kerberos usernames, performing Active Directory reconnaissance, staging payloads, and exfiltrating data.“Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos notes.Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.Related:Next.js Creator Vercel HackedRelated:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
The hackers were observed deploying roughly a dozen tools and libraries, harvesting credentials, enumerating Kerberos usernames, performing Active Directory reconnaissance, staging payloads, and exfiltrating data.“Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos notes.Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.Related:Next.js Creator Vercel HackedRelated:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
“Follow-on activity differed across intrusions, suggesting that initial access brokers originally compromised the victims’ environments and then sold the access to other threat actors,” Sophos notes.Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.Related:Next.js Creator Vercel HackedRelated:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
Organizations are advised to search for unauthorized QEMU installations, rogue scheduled tasks, unusual port forwarding rules, and monitor outbound SSH tunnels, which could reveal potential compromise.Related:Next.js Creator Vercel HackedRelated:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
Related:Next.js Creator Vercel HackedRelated:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
Related:Hackers Fail to Exploit Flaw in Discontinued TP-Link RoutersRelated:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
Related:Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestRelated:100 Chrome Extensions Steal User Data, Create Backdoor
Source: SecurityWeek
