Arctic Wolf Labs assessed the group may operate in part as an Initial Access Broker (IAB), selling harvested credentials to other threat actors including the CipherForce and Vect ransomware affiliates.
Vect
Vect is a financially motivated ransomware-as-a-service operation that emerged in late December 2025 and began claiming victims in early 2026.
Profile source: Mallory opens in a new tabVect
Family profile
Vect is a financially motivated ransomware-as-a-service operation that emerged in late December 2025 and began claiming victims in early 2026. It is a double-extortion ransomware family with affiliate-oriented infrastructure including a leak site, negotiation portal, and recruitment model that lowered barriers to entry for affiliates. Vect is associated with Russian-language cybercrime forum activity and has been publicly linked to an operational partnership with TeamPCP, in which TeamPCP harvested credentials and access through software supply-chain compromises and Vect used that downstream access for ransomware deployment and extortion. At least one Vect deployment has been reported as using TeamPCP-sourced credentials, and victim claims tied to that access pipeline have appeared on Vect’s leak infrastructure.
Vect is a cross-platform C++ ransomware family targeting Windows, Linux, and VMware ESXi environments. Reported capabilities include pre-encryption data theft for extortion, process termination, shadow-copy and recovery tampering, Safe Mode boot manipulation on Windows, LAN scanning, and lateral movement via SMB, WinRM, remote service creation, scheduled tasks, and SSH on non-Windows systems. It is positioned for enterprise intrusions and supports attacks against virtualized infrastructure, including handling of virtual disk files.
Technical analysis of Vect 2.0 identified a severe cryptographic implementation flaw affecting Windows, Linux, and ESXi variants. Large files are processed in chunks, but nonce-handling defects cause required decryption material for earlier chunks to be lost, making many files larger than 128 KB permanently unrecoverable even by the operators. As a result, Vect incidents can behave operationally like destructive wiper events rather than recoverable ransomware cases. Additional analysis has noted weak engineering practices and immature implementation quality despite comparatively developed criminal infrastructure. Organizations encountering Vect should treat it as both ransomware and potentially destructive malware, especially where exposed credentials from TeamPCP-linked CI/CD and supply-chain compromises may have enabled access.
Capabilities
- Credential Theft
- Defense Evasion
- Exfiltration
- Extortion
- Lateral Movement
- Reconnaissance
- Scanning
Ransomware.live
Operational record
Reported operators
Threat actors
3 named in public reportingThe current pause, combined with the Vect ransomware affiliate announcement, suggests TeamPCP has shifted primary operational focus from supply chain expansion to monetization of existing credential harvests.
Check Point researchers opened a BreachForums account, got access to the panel and ransomware builder, and analyzed the gang's malware. They quickly determined that the ransomware-as-a-service group also isn't very good at writing code ... and they appear to have accidentally written a data wiper. Instead of encrypting large files ... Vect 2.0 ransomware permanently destroys any files larger than 131,072 bytes (128 KB).
Exploited software
Vulnerabilities linked to Vect
1 CVEsMITRE ATT&CK
Vect in ATT&CK
57 distinct techniquesTechniques
57 techniquesReporting
Research mentioning Vect
[FORECAST] TeamPCP shows why package cleanup is not containment
Sophos reports that Vect and TeamPCP announced an operational partnership in late March 2026, combining TeamPCP’s credential harvesting and data theft with Vect’s ransomware deployment infrastructure. Sophos also reports at least one verified Vect ransomware deployment using TeamPCP-sourced credentials.
VECT and TeamPCP Reverse Ransomware Kill Chain With Supply Chain Credential Theft
A ransomware strain called VECT has formed an unusual supply chain partnership with a threat group known as TeamPCP, quietly exposing thousands of organizations to compromise before any ransom note appears.
Cyber experts issue alert after two ransomware groups team up on ‘unprecedented’ threat campaign | IT Pro
The Vect ransomware as a service (RaaS) operation first appeared at the end of 2025... Sophos said Team PCP has demonstrated the ability to repeatedly compromise trusted open source tooling, with at least one verified Vect ransomware deployment using TeamPCP-sourced credentials.
‘Interpol’ emails spread custom ransomware with decryption key left inside | news | SC Media
In April, Check Point Research discovered that the VECT ransomware-as-a-service (RaaS) group’s latest ransomware version destroyed files larger than 128 KB due to a faulty encryption process, leaving them unrecoverable.
Vect and TeamPCP partner for ransomware campaigns | SOPHOS
The Vect ransomware-as-a-service (RaaS) operation first appeared on December 31, 2025... The formal partnership between TeamPCP and Vect allows Vect to deploy ransomware across all organizations compromised in the Trivy and LiteLLM supply chain attacks.
Bugs & Betrayal: VECT Ransomware by Design, Wiper by Accident - Alpha Cyber
Analysis of the VECT ransomware family suggests implementation flaws can undermine the operator’s own monetization objectives. Rather than reliably encrypting data for recovery after payment, coding defects may irreversibly destroy victim files, effectively turning ransomware into destructive wiper malware.
TeamPCP and Cyber Supply Chain Attacks - Flare | Identity First Threat Intelligence | Unmatched Visibility into Cybercrime
The group aligned with the Vect ransomware operation... According to Check Point Research, VECT 2.0 permanently destroys any file larger than 128 KB because of a nonce-overwriting bug, making it a wiper rather than recoverable ransomware.
Dark Web Profile: Vect Ransomware - Malware News - Malware Analysis, News and Indicators
Vect is a financially motivated, double extortion ransomware-as-a-service operation that surfaced on a Russian-language cybercrime forum on December 31, 2025 under the handle “vect.”