{ "Event": { "analysis": "1", "date": "2026-04-16", "extends_uuid": "", "info": "[Threat Intel] Takes Aim at the Ransomware Throne", "protected": false, "publish_timestamp": "1776767208", "published": true, "threat_level_id": "2", "timestamp": "1776767207", "uuid": "62eebf9b-b43d-4741-913e-ae8b3585b406", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"BlackBasta\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"payoutsking\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776481207", "to_ids": false, "type": "link", "uuid": "0d7a6561-a7c8-4100-9d6c-50099bd101ed", "value": "https://www.zscaler.com/blogs/security-research/payouts-king-takes-aim-ransomware-throne" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776481207", "to_ids": false, "type": "text", "uuid": "36d02d51-2527-4ee6-b867-3e70f62213d3", "value": "In February 2025, BlackBasta ransomware operations ceased after their internal chat logs were leaked online, leading to disbandment. However, former affiliates continued launching attacks using different ransomware families, including the relatively unknown Payouts King group that emerged in April 2025. ThreatLabz has observed continued ransomware activity consistent with former BlackBasta initial access brokers since early 2026, utilizing similar tactics including spam bombing, Microsoft Teams phishing, and Quick Assist abuse. Payouts King implements sophisticated evasion techniques including stack-based string obfuscation, API hashing, and direct system calls to terminate security processes. The ransomware leverages 4,096-bit RSA and 256-bit AES counter mode encryption, selectively encrypting files while targeting security software and employing anti-forensics techniques like shadow copy deletion and event log clearing." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776481207", "to_ids": false, "type": "text", "uuid": "ccd6c2a0-8dfa-4d2e-826c-d221b69ff673", "value": "Name: Takes Aim at the Ransomware Throne\nAuthor: AlienVault\nAdversary: Payouts King\nTags: [\"aes encryption\", \"blackbasta affiliates\", \"edr evasion\", \"blackbasta\", \"spam bombing\", \"direct system calls\", \"payouts king\", \"quick assist\", \"microsoft teams\", \"cactus\", \"rsa encryption\"]\nTgtd countries: []\nMlwr families: [\"Payouts King\", \"BlackBasta\", \"Cactus\"]\nAttack_ids: [\"T1053.005\", \"T1489\", \"T1204.002\", \"T1566.002\", \"T1566.001\", \"T1082\", \"T1106\", \"T1140\", \"T1219\", \"T1036\", \"T1070.001\", \"T1083\", \"T1497\", \"T1562.001\", \"T1027\", \"T1486\", \"T1059.003\", \"T1134\", \"T1027.002\", \"T1490\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776481207", "to_ids": false, "type": "threat-actor", "uuid": "f739397c-ea50-45f0-bd9d-1544d8ef69a4", "value": "Payouts King" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776696460", "uuid": "d15d5a7a-5a97-403a-8101-a680cc52172d", "Attribute": [ { "category": "Payload delivery", "comment": "Payouts King ransomware sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776696460", "to_ids": true, "type": "md5", "uuid": "7c3bde32-0b8a-47ea-a5b8-ccc9a20d9930", "value": "865f7b4a303684f8bf7c5f60180c5257", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payouts King ransomware sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692134", "to_ids": true, "type": "sha1", "uuid": "8a951028-9ee6-4cde-9113-66cb1a9b2424", "value": "e33e303ff7753b37539e942a9c5ef2001b219976", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payouts King ransomware sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692134", "to_ids": true, "type": "sha256", "uuid": "0e808cea-3731-435c-b649-a703d3b7d6af", "value": "335ad12a950f885073acdfebb250c93fb28ca3f374bbba5189986d9234dcbff4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776691667", "to_ids": true, "type": "ssdeep", "uuid": "545a33fc-5109-4a1f-902e-09f30772838e", "value": "49152:0FCTFoaNQ2r2Cs41/H5Mbyo/JCUhtPkSJYpJGtlqSVwAsOCaHzQeiIC+WR+kgwlp:f5x24t5Mb92oH8qC+4Q2DGx+d" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776691667", "to_ids": false, "type": "size-in-bytes", "uuid": "af808f50-e3c7-403a-a41b-547d1c53b183", "value": "5135360" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776691667", "to_ids": true, "type": "vhash", "uuid": "ac63fd24-939d-421c-be51-bbe8175a2ae1", "value": "056066655d156d75514z82z3e1csz1e7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776691667", "to_ids": true, "type": "filename", "uuid": "1798a117-3c93-449f-9130-bc79d365b317", "value": "aqeznpyz8.exe" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776691667", "to_ids": false, "type": "text", "uuid": "651ee499-c78a-43e1-82ac-f1010001c0d7", "value": "Payouts King ransomware sample\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:13/72\nFirst Submission:2026-01-30T06:57:09.000000+00:00\nLast Submission:2026-01-30T06:57:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776696481", "uuid": "d7219c86-af55-44f2-8506-cc25a8816139", "Attribute": [ { "category": "Payload delivery", "comment": "Payouts King ransomware sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776696481", "to_ids": true, "type": "md5", "uuid": "0bac638d-7466-40eb-8951-480ae34e9356", "value": "e08a96a4e597725c5c4f12482b800cc9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payouts King ransomware sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776692135", "to_ids": true, "type": "sha1", "uuid": "fbe2d2b9-19a5-4b78-a232-2acdf36759e0", "value": "47e53d4fd21537f1b434d89bf68ba3ec2fd76d3a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Payouts King ransomware sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776692135", "to_ids": true, "type": "sha256", "uuid": "5063b3d9-17cc-40ea-8e99-ceb2671bec55", "value": "d68ce82e82801cd487f9cd2d24f7b30e353cafd0704dcdf0bb8f12822d4227c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776691689", "to_ids": true, "type": "ssdeep", "uuid": "cedd9176-ad5a-4145-81d5-c0525d8b2189", "value": "49152:0HCTFoaNQ2r2Cs41/H5Mbyo/JCUhtPkSJYpJGtlqSVwAsOCaHzQeiIC+WR+kgwlp:h5x24t5Mb92oH8qC+4Q2DGx+d" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776691689", "to_ids": false, "type": "size-in-bytes", "uuid": "803e97c2-3a92-4492-b762-5ee6c04fadef", "value": "5135360" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776691689", "to_ids": true, "type": "vhash", "uuid": "e795e785-fccf-4fb7-81a7-d6b26dff01a7", "value": "056066655d156d75514z82z3e1csz1e7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776691689", "to_ids": true, "type": "filename", "uuid": "91b08bef-400e-44fc-8abc-7bfc2a7941ff", "value": "xetmqcp7.exe" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776691689", "to_ids": false, "type": "text", "uuid": "924effd5-14d0-4bb5-855f-9912d643168f", "value": "Payouts King ransomware sample\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:14/72\nFirst Submission:2026-01-14T04:17:30.000000+00:00\nLast Submission:2026-01-14T04:17:30.000000+00:00" } ] } ] } }