Vect
Vect is a financially motivated ransomware-as-a-service (RaaS) operation that emerged on a Russian-language cybercrime forum in late December 2025 and became active in early 2026. Reporting consistently describes it as a double-extortion operation with Tor-based leak infrastructure and an affiliate model that expanded rapidly through low-cost access and a partnership with BreachForums. Vect supports Windows, Linux, and VMware ESXi, and its tooling is described as purpose-built in C++ with statically compiled binaries linked against libsodium. Multiple reports also note possible overlap with the Devman ransomware family, including shared strings, similar ransom notes, and a DM-prefixed lateral movement convention, but this linkage is not confirmed.
Vect has been publicly linked to TeamPCP. On March 25, 2026, TeamPCP announced an operational partnership with Vect in which TeamPCP provided initial access via compromised supply-chain packages and stolen credentials, while Vect provided encryption and extortion tooling. The content ties this to TeamPCP compromises affecting Trivy, Checkmarx KICS, LiteLLM, and the Telnyx Python SDK, and states that at least one confirmed Vect deployment used credentials harvested through that campaign. Vect also sought compromised Fortinet credentials and supports operator-supplied credentials for RDP, VPN, and related access abuse.
Across reporting, Vect is notable for broad enterprise-focused functionality. The Windows variant can disable Microsoft Defender protections, terminate security, backup, database, and productivity processes, delete Volume Shadow Copies, clear event logs, modify SafeBoot settings, persist via registry changes, and self-delete. Lateral movement capabilities described in the content include scheduled tasks over CIM, SMB admin shares, WMI, DCOM via MMC20.Application, sc.exe service installation, PowerShell remoting over WinRM, and SSH on Linux and ESXi. The Linux and ESXi variants implement CIS geofencing using locale and timezone checks and can stop services and target virtualized environments. Vect appends the .vect extension to encrypted files and drops ransom notes including !!!READ_ME!!!.txt or !!!READ_ME!!!.txt. Reported infrastructure and contact artifacts include the onion domains bu7zr6fotni3qxxoxlcmpikwtp5mjzy7jkxt7akflnm2kwkbdtgtjuid.onion and vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion, a TOX ID 1A51DCBB33FBF603B385D223F599C6D64545E631F7C870FFEA320D84CE5DAF076C1F94100B5B, and a Session ID 05440a6dd16be656d852bf8d311ac8df775d4ef9c941e108bd4851d46502aa730b.
A key high-confidence finding is that Vect 2.0 contains a critical cryptographic implementation flaw. Multiple analyses state that for files larger than 128 KB, Vect encrypts four chunks using ChaCha20-IETF but stores only the final nonce, making the first three encrypted chunks unrecoverable. This affects Windows, Linux, and ESXi variants and has been described as turning Vect operationally into a wiper for most meaningful enterprise data, including VM disks, databases, documents, archives, and backups. The content explicitly states that paying the ransom is unlikely to restore most large files. Victimology in the provided content indicates activity across multiple continents and sectors including technology, financial services, healthcare, manufacturing, education, energy, and law, with the United States and Brazil frequently represented among listed victims.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Vect is a financially motivated, double extortion ransomware-as-a-service operation that surfaced on a Russian-language cybercrime forum on December 31, 2025 under the handle “vect.”
Check Point researchers opened a BreachForums account, got access to the panel and ransomware builder, and analyzed the gang's malware. They quickly determined that the ransomware-as-a-service group also isn't very good at writing code ... and they appear to have accidentally written a data wiper. Instead of encrypting large files ... Vect 2.0 ransomware permanently destroys any files larger than 131,072 bytes (128 KB).
Update 002 covered developments through March 27, including the Telnyx PyPI compromise and Vect ransomware partnership.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesVect operators retain alternative initial access paths, including compromised Fortinet credentials solicited on a Russian-language forum in January 2026, plus base64-encoded credentials supplied at build time or via the –creds parameter for RDP and VPN abuse.
Vect operators retain alternative initial access paths, including compromised Fortinet credentials solicited on a Russian-language forum in January 2026, plus base64-encoded credentials supplied at build time or via the –creds parameter for RDP and VPN abuse.
Between March 19 and March 24, 2026, TeamPCP compromised the Trivy GitHub Actions workflow, the Checkmarx KICS package, the LiteLLM PyPI distribution (versions 1.82.7 and 1.82.8), and the Telnyx Python SDK. A credential-harvesting payload fired during CI/CD execution in downstream organizations.
Execution
4 techniquesThe function labeled “GPO spread” performs no Group Policy operations. It registers Scheduled Tasks remotely over CIM sessions, each named with a hardcoded “DM” prefix followed by four random uppercase letters.
Execution is initiated through PowerShell, the Windows command shell, or a service installed remotely with sc.exe.
Execution is initiated through PowerShell, the Windows command shell, or a service installed remotely with sc.exe.
It enumerates accessible network shares with WNetOpenEnum and NetShareEnum, walks file systems with standard Win32 APIs, and probes domain trust relationships.
Persistence
5 techniquesThe function labeled “GPO spread” performs no Group Policy operations. It registers Scheduled Tasks remotely over CIM sessions, each named with a hardcoded “DM” prefix followed by four random uppercase letters.
Vect operators retain alternative initial access paths, including compromised Fortinet credentials solicited on a Russian-language forum in January 2026, plus base64-encoded credentials supplied at build time or via the –creds parameter for RDP and VPN abuse.
if –force-safemode is set the locker writes SafeBoot Minimal and Network registry entries plus a Run key so the host reboots into safe mode with most endpoint protection inactive.
Vect operators retain alternative initial access paths, including compromised Fortinet credentials solicited on a Russian-language forum in January 2026, plus base64-encoded credentials supplied at build time or via the –creds parameter for RDP and VPN abuse.
Privilege Escalation
3 techniquesThe function labeled “GPO spread” performs no Group Policy operations. It registers Scheduled Tasks remotely over CIM sessions, each named with a hardcoded “DM” prefix followed by four random uppercase letters.
Vect operators retain alternative initial access paths, including compromised Fortinet credentials solicited on a Russian-language forum in January 2026, plus base64-encoded credentials supplied at build time or via the –creds parameter for RDP and VPN abuse.
Stealth
3 techniquesA double XOR routine intended to keep these flags encrypted at rest accidentally cancels itself out, leaving them as plaintext strings inside the binary.
Defense Impairment
1 techniqueCredential Access
1 techniqueThe locker stores affiliate-supplied credentials on each target host using cmdkey, which writes them into the Windows Credential Manager.
Discovery
3 techniquesThe Linux and ESXi variants implement CIS geofencing by reading LANG, LC_ALL, and /etc/timezone.
It enumerates accessible network shares with WNetOpenEnum and NetShareEnum, walks file systems with standard Win32 APIs
It enumerates accessible network shares with WNetOpenEnum and NetShareEnum
Lateral Movement
4 techniquesBeyond scheduled tasks, the locker uses SMB admin-share copy
Beyond scheduled tasks, the locker uses SMB admin-share copy, WMI execution, DCOM instantiation via MMC20.Application
Beyond scheduled tasks, the locker uses SMB admin-share copy, WMI execution, DCOM instantiation via MMC20.Application, sc.exe service installation, and PowerShell remoting over WinRM.
Collection
2 techniquesExfiltration is performed either out of band by the affiliate using third-party tools such as Rclone, MEGA, or WinSCP
It enumerates accessible network shares with WNetOpenEnum and NetShareEnum
Command and Control
1 techniqueBlock outbound Tor entry-node connectivity and onion-name resolution at the network perimeter, since Vect command and control runs exclusively over Tor.
Impact
4 techniquesThe locker then terminates a hardcoded list of security agents ... backup engines ... database services
Volume Shadow Copies are removed with vssadmin delete shadows /all /quiet after a 30-second wait
if –force-safemode is set the locker writes SafeBoot Minimal and Network registry entries plus a Run key so the host reboots into safe mode
The combination of shadow copy deletion, security agent termination, safe-mode persistence, and broken intermittent encryption produces an outcome operationally indistinguishable from a wiper
Other
2 techniquesIOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Vect is a C++ ransomware family operated as a double-extortion RaaS platform targeting Windows, Linux, and VMware ESXi. It supports affiliate-driven deployment, disables defenses, deletes shadow copies, spreads laterally via scheduled tasks, SMB, WMI, DCOM, WinRM, and SSH, and encrypts files with a flawed ChaCha20 implementation that effectively makes large-file recovery impossible, rendering many incidents operationally similar to wiper attacks.
A double-extortion ransomware-as-a-service family written in C++ for Windows, Linux, and VMware ESXi. It supports affiliate-driven deployment, lateral movement, safe-mode reboot abuse, shadow copy deletion, and file encryption using a flawed ChaCha20 implementation that can render large files unrecoverable, making attacks operationally similar to a wiper.
A TeamPCP-affiliated extortion malware presented as ransomware, but due to a ChaCha20-IETF nonce-reuse flaw it effectively acts as a data wiper for files larger than 128 KB, making recovery impossible even if ransom is paid.
VECT is a ransomware family/locker targeting Windows, Linux, and ESXi. This Windows sample encrypts files with ChaCha20-compatible logic, appends the .vect extension, drops the ransom note !!!_READ_ME_!!!.txt, disables Defender protections, deletes shadow copies, clears event logs, modifies SafeBoot/Run-key settings, and includes lateral movement/GPO propagation capabilities. The analyzed build appears flawed: small files may be recoverable because the needed 12-byte nonce is preserved, while large files lose three of four required nonces, making full recovery from disk alone impossible.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.