Full Report
Vect ransomware, a new group that emerged in January 2026, has recently begun attracting attention in the cybersecurity space for its strategic partnerships, which are helping it expand. One notable collaboration is with TeamPCP, with evidence already surfacing as the latest victims on Vect's leak site appear to have been posted on behalf of TeamPCP.
Analysis Summary
# Threat Actor: Vect (Vect Ransomware-as-a-Service)
## Attribution & Identity
* **Identification:** A Ransomware-as-a-Service (RaaS) group that emerged in January 2026.
* **Known Associations:**
* **TeamPCP:** A strategic partner known for high-profile supply chain attacks. TeamPCP appears to leverage Vect's leak site for its own victims.
* **BreachForums:** A formal partnership exists where all BreachForums members are granted affiliate status in the Vect RaaS program.
* **Affiliate Operations:** Operates an open affiliate model with a $250 (XMR) entry fee for non-forum members.
## Activity Summary
Since its emergence in January 2026, Vect has rapidly scaled its operations through strategic alliances. By April 2026, the group had published 25 victims on its leak site, though it claims to have over 300 "unreleased" victims. The group is notable for using its X (formerly Twitter) account for psychological operations and victim taunting. Recent activity is characterized by a "triple-threat" growth strategy: an open affiliate program, a direct pipeline from BreachForums, and supply chain compromise assistance via TeamPCP.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise:** Leveraging TeamPCP’s capability to compromise open-source tools (e.g., Trivy, KICS) to gain initial access.
* **Multi-Platform Target Support:** Development of ransomware builds for Windows, Linux, and VMware ESXi environments.
* **Double Extortion:** Maintaining a leak site to publish stolen data if ransoms are not paid.
* **Psychological Operations:** Using social media (X/Twitter) to taunt victims and apply pressure.
* **Tiered Commission Structure:** Incentivizing high-earning affiliates with payouts ranging from 80% to 89%.
* **Exfiltration:** actively developing a custom data exfiltration tool (noted as "coming soon" in the affiliate panel).
## Targeting
* **Sectors:** Primarily Technology; also Healthcare (despite claims to the contrary).
* **Geography:** Global, with a heavy emphasis on the United States (the most targeted region with 28% of known victims).
* **Victims:** Associated with victims from the TeamPCP supply chain breaches including users of LiteLLM and Telnyx Python SDK.
## Tools & Infrastructure
* **Malware Families:** Vect Ransomware (Windows, Linux, and ESXi variants).
* **Infrastructure:**
* **Leak Site:** Used for victim disclosure and affiliate registration.
* **RaaS Panel:** A centralized dashboard for affiliates to generate builds and monitor targets.
* **Cryptocurrency:** Uses Monero (XMR) for affiliate invite payments to maintain anonymity.
* **IoCs (SHA1 Hashes):**
* e27f4feffc1ba6bf4e35aec4a5270fccb636e5cf (Windows)
* f4b904fb6ba8474cb87f26302b74c4b82c106003 (Windows)
* 9e18315690f148e1aa39facc39de913266bdcc13 (Windows)
* f5287a33a806b8de0d62ac24edead4dcb9f60c2a (Windows)
* 69aa94434f545b41198b7d21f9acc71457584e62 (ESXi)
* 488ed9ff65652a738042d93678591a579714a791 (Linux)
## Implications
Vect represents a shift toward more professionalized and collaborative cybercrime. By partnering with advanced threat actors like TeamPCP, Vect can bypass traditional perimeter defenses via supply chain compromises. Their integration with BreachForums provides them with a nearly inexhaustible supply of affiliates, ranging from low-level "script kiddies" to sophisticated operators, likely leading to a high volume of concurrent attacks across diverse sectors.
## Mitigations
* **Supply Chain Security:** Implement rigorous integrity checking for open-source security tools (e.g., Trivy, KICS) and third-party SDKs. Use software bill of materials (SBOM) to track dependencies.
* **Hypervisor Protection:** Strengthen security for ESXi environments; ensure patches are up to date and management interfaces are not exposed to the internet.
* **Endpoint Defense:** Deploy EDR/XDR solutions capable of detecting the known SHA1 signatures and behavioral patterns of the Vect binary.
* **Zero Trust Architecture:** Limit lateral movement opportunities to prevent affiliates from escalating access once a supply chain entry point is exploited.