Researchers reported that Payload is a newly observed ransomware strain targeting Windows environments and rapidly expanding its operations, with about 50 victims listed on its leak site by late March. The malware appends the .payload extension to encrypted files and drops a ransom note named RECOVER_payload.txt, while focusing on sectors where downtime can quickly drive extortion pressure, including logistics, transportation, construction, real estate, manufacturing, and technology. Technical analysis indicates Payload uses a mature cryptographic design built on per-file Curve25519 ECDH key exchange and ChaCha20 encryption, making recovery without the operators’ private key effectively infeasible.
The ransomware also uses aggressive anti-forensics and disruption tactics before encryption, including deleting shadow copies, clearing Windows Event Logs, patching ETW-related functions in ntdll, terminating processes, and stopping backup and database services. Separate reporting on Vect highlighted a contrasting trend in the ransomware ecosystem: although Vect marketed enterprise-focused cross-platform ransomware for Windows, Linux, and ESXi, researchers found a critical cryptographic flaw that irreversibly destroys files larger than 128 KB, effectively turning many attacks into data wiping events even if victims pay. Together, the findings show a split between technically competent operators such as Payload and poorly engineered ransomware like Vect that can still cause severe business disruption.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Dark Atlas released an in-depth technical analysis of Payload ransomware, detailing its encryption design, anti-forensics behavior, and operational tradecraft. The report characterized Payload as a technically mature and expanding ransomware operation.
Check Point Research reported that Vect 2.0 and an earlier in-the-wild version contain a cryptographic bug that irreversibly destroys files larger than 128 KB on Windows, Linux, and ESXi. The flaw overwrites nonce values during chunked encryption, making decryption impossible even if victims pay.
Vect and TeamPCP publicly promoted a partnership on BreachForums to monetize earlier supply-chain compromises through follow-on extortion activity, and Vect also offered affiliate keys and tooling to forum users. This exposure later enabled researchers to access the group's panel and builder.
By March 24, 2026, Payload had listed 50 victims on its leak site, indicating rapid expansion and broad targeting across sectors including logistics, transportation, construction, manufacturing, and technology.
Payload was first observed in February 2026 as a new ransomware strain targeting Windows systems. It used ChaCha20 with Curve25519 ECDH, appended the .payload extension to encrypted files, and deployed anti-forensics measures such as deleting shadow copies and clearing event logs.
A new ransomware-as-a-service operation named Vect emerged on the Russian-speaking forum Rehub, advertising a cross-platform C++ locker for Windows, Linux, and VMware ESXi with enterprise-focused features and an affiliate program. At that stage, no public victims had yet been listed.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcedarkatlas.io
Open sourcehelpnetsecurity.com
Open sourcetheregister.com
Open sourceflare.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.