Arctic Wolf Labs assessed the group may operate in part as an Initial Access Broker (IAB), selling harvested credentials to other threat actors including the CipherForce and Vect ransomware affiliates.
CipherForce
CipherForce is a ransomware operation associated with the financially motivated threat group TeamPCP.
Profile source: Mallory opens in a new tabCipherForce
Family profile
CipherForce is a ransomware operation associated with the financially motivated threat group TeamPCP. It emerged as TeamPCP’s proprietary ransomware track, distinct from the group’s separate cooperation with the Vect ransomware ecosystem, and has been used as a direct monetization channel for access and credentials harvested during TeamPCP’s broader cloud and software supply-chain intrusions. Reporting links CipherForce to TeamPCP’s wider criminal infrastructure and aliases, and indicates the operation maintained its own leak site and victim publication workflow.
CipherForce has been described as TeamPCP’s in-house ransomware brand, including tooling advertised as capable of encrypting major enterprise database and cloud storage solutions. The operation appears to have run in parallel with TeamPCP’s credential-theft and initial-access activity, allowing the group to convert stolen secrets and downstream enterprise access into extortion and ransomware deployments. Intelligence also indicates TeamPCP sought affiliates for CipherForce while simultaneously supporting a separate affiliate-oriented ransomware channel through Vect.
Victimology associated with TeamPCP-linked operations indicates interest in enterprise and cloud-centric environments across multiple sectors and geographies, including technology, financial services, retail, legal, insurance, education, government, and other large organizations. CipherForce has been publicly tied to named victims on its leak infrastructure, and has been discussed in connection with ransomware activity following TeamPCP’s compromises of trusted developer and security tooling. High-confidence reporting supports classifying CipherForce as a ransomware brand operated by TeamPCP for extortion and encryption-based attacks, but detailed technical specifics of the locker itself remain limited in the available information.
Capabilities
- Extortion
Ransomware.live
Operational record
Reported operators
Threat actors
2 named in public reportingA note on CipherForce ransomware blog, March 2026
Exploited software
Vulnerabilities linked to CipherForce
1 CVEsMITRE ATT&CK
CipherForce in ATT&CK
10 distinct techniquesTechniques
10 techniquesReporting
Research mentioning CipherForce
Vect and TeamPCP partner for ransomware campaigns | SOPHOS
Prior to the Vect partnership, TeamPCP was running another ransomware operation under the CipherForce brand. CipherForce listed six victims on its leak site in February 2026 and rebranded as a TeamPCP leak site in May.
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17
CipherForce remained inactive at roughly 84 days, with 6 victims unchanged.
Cyber Intel Brief: Vect, BreachForums, and TeamPCP Converge
TeamPCP have previously created and promoted ransomware brands such as Black Witch and CipherForce. TeamPCP’s advertised CipherForce ransomware-branded tooling was designed to encrypt all major enterprise database and cloud storage solutions.
Is Your Next Vacation a Trap? Inside the...
A note on CipherForce ransomware blog, March 2026
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
Evidence indicates that the threat actor has also launched a proprietary ransomware operation under the name CipherForce.
Dark Web Profile: TeamPCP
The group operates under five confirmed aliases: PCPcat, the name of their first documented campaign; ShellForce, their data leak publication persona; DeadCatx3, a GitHub account hosting attacker tooling; CipherForce, their proprietary ransomware operation; and Persy_PCP, an earlier Telegram identity.
TeamPCP Supply Chain Campaign: Update 006 - CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments
CipherForce ransomware: Listed on the CipherForce shame site with the original 14-15 day publication deadline.
TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows
Keywords: ownCloud ... ransomware ... Vect ... CipherForce ... CanisterWorm ...