Dark Web Profile: Vect Ransomware

Vect emerged rapidly after its December 31, 2025 debut, publishing 25 victims, recruiting affiliates through BreachForums, and linking its operations to TeamPCP supply chain compromises and the Devman ecosystem. Its broken ChaCha20-based locker, aggressive defense evasion, and broad propagation across Windows, Linux, and VMware ESXi make it functionally similar to a wiper in many cases. #Vect #BreachForums #TeamPCP #Devman #Trivy #CheckmarxKICS #LiteLLM #Telnyx

Keypoints

Vect is a double-extortion ransomware-as-a-service operation that surfaced on December 31, 2025 in a Russian-language cybercrime forum.
The group quickly published its first 25 victims within four months and operated across five continents.
A BreachForums administrator mass-distributed Vect affiliate keys to nearly 324,000 registered users, creating an unprecedented recruitment channel.
Vect’s operations are tied to TeamPCP, which harvested credentials through supply chain compromises affecting Trivy, Checkmarx KICS, LiteLLM, and Telnyx.
The locker supports Windows, Linux, and VMware ESXi, uses multiple propagation methods, and disables defenses before encryption.
Vect’s intermittent encryption is flawed, causing three quarters of large files to become unrecoverable and making the campaign behave like a wiper.
The article also highlights links to Devman through naming conventions, ransom note similarities, and related tradecraft.

MITRE Techniques

[T1078 ] Valid Accounts – Vect abuses compromised credentials for access and stores affiliate-supplied credentials on hosts (‘credentials harvested through the TeamPCP campaign’, ‘stores affiliate-supplied credentials on each target host using cmdkey’).
[T1133 ] External Remote Services – The group abuses RDP, VPN, and SSH-based access paths (‘base64-encoded credentials supplied at build time or via the –creds parameter for RDP and VPN abuse’).
[T1195.002 ] Supply Chain Compromise: Software Supply Chain – TeamPCP compromised upstream software and CI/CD paths to harvest secrets used by Vect (‘compromised the Trivy GitHub Actions workflow, the Checkmarx KICS package, the LiteLLM PyPI distribution, and the Telnyx Python SDK’).
[T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell is used to launch execution and disable defenses (‘Execution is initiated through PowerShell’, ‘a PowerShell command … disables Microsoft Defender real-time monitoring’).
[T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The locker can be launched through cmd.exe (‘Execution is initiated through … the Windows command shell’).
[T1053.005 ] Scheduled Task/Job: Scheduled Task – Vect uses remote scheduled tasks for lateral spread (‘It registers Scheduled Tasks remotely over CIM sessions’).
[T1569.002 ] System Services: Service Execution – The malware installs or starts services remotely to execute (‘a service installed remotely with sc.exe’).
[T1106 ] Native API – The malware relies on Win32 and other native APIs for host and file discovery (‘walks file systems with standard Win32 APIs’).
[T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Safe-mode persistence is achieved through a Run key (‘plus a Run key so the host reboots into safe mode’).
[T1112 ] Modify Registry – The locker writes SafeBoot and Run registry entries to alter boot behavior (‘writes SafeBoot Minimal and Network registry entries plus a Run key’).
[T1562.001 ] Impair Defenses: Disable or Modify Tools – Vect disables security tools and monitoring (‘disables Microsoft Defender real-time monitoring’, ‘terminates a hardcoded list of security agents’).
[T1562.009 ] Impair Defenses: Safe Mode Boot – It forces reboot into safe mode to weaken protections (‘if –force-safemode is set the locker writes SafeBoot Minimal and Network registry entries’).
[T1070.004 ] Indicator Removal: File Deletion – The malware deletes artifacts and shadow copies (‘self-delete’, ‘vssadmin delete shadows /all /quiet’).
[T1027 ] Obfuscated Files or Information – Vect hides strings and uses encoded commands (‘a double XOR routine … leaving them as plaintext strings inside the binary’, ‘XOR-decoded at runtime’).
[T1555 ] Credentials from Password Stores – Affiliate credentials are stored in Windows Credential Manager (‘using cmdkey, which writes them into the Windows Credential Manager’).
[T1082 ] System Information Discovery – The malware probes system and environment details (‘probes domain trust relationships’).
[T1083 ] File and Directory Discovery – It enumerates filesystem content and accessible resources (‘walks file systems with standard Win32 APIs’).
[T1135 ] Network Share Discovery – It enumerates reachable network shares (‘enumerates accessible network shares with WNetOpenEnum and NetShareEnum’).
[T1482 ] Domain Trust Discovery – It checks trust relationships in the domain (‘probes domain trust relationships’).
[T1021.002 ] Remote Services: SMB/Windows Admin Shares – Vect spreads via admin shares (‘uses SMB admin-share copy’).
[T1021.003 ] Remote Services: Distributed Component Object Model – The malware uses DCOM for remote execution (‘DCOM instantiation via MMC20.Application’).
[T1021.004 ] Remote Services: SSH – Linux and ESXi propagation uses SSH (‘SSH-based propagation is supported on Linux and ESXi’).
[T1021.006 ] Remote Services: Windows Remote Management – The locker uses WinRM for remote movement (‘PowerShell remoting over WinRM’).
[T1005 ] Data from Local System – Vect collects local files and data before encryption (‘Collection and Exfiltration’).
[T1039 ] Data from Network Shared Drive – It targets shared data on network drives (‘data already harvested upstream by TeamPCP’).
[T1090.003 ] Proxy: Multi-hop Proxy – Command and control uses Tor, functioning as a proxy chain (‘Vect command and control runs exclusively over Tor’).
[T1486 ] Data Encrypted for Impact – Files are encrypted with ChaCha20 to render them unusable (‘the locker performs single-pass encryption’, ‘four 32 KB chunks’).
[T1490 ] Inhibit System Recovery – The malware deletes shadow copies and blocks recovery (‘Volume Shadow Copies are removed with vssadmin delete shadows /all /quiet’).
[T1489 ] Service Stop – It stops security, backup, and database services before encrypting (‘terminates a hardcoded list of security agents’, ‘backup engines’).
[T1561 ] Disk Wipe – The broken encryption and destructive behavior produce wiper-like effects (‘operationally indistinguishable from a wiper’).
[T1529 ] System Shutdown/Reboot – Safe-mode boot and reboot behavior are used to facilitate impact (‘so the host reboots into safe mode’).

Indicators of Compromise

[IP addresses ] No specific IP addresses were provided in the article – none mentioned.
[Domains / infrastructure ] Tor-based leak and command infrastructure, BreachForums, and source platforms used for recruitment and distribution – BreachForums, onion services.
[File names / artifacts ] Ransomware and detection artifacts mentioned in the article – dvm3_wall.bmp, .vect encrypted file extension.
[File hashes ] No explicit hashes were listed in the article – none mentioned.
[Repository / project names ] Compromised or referenced supply chain components and fallback repository names – tpcp-docs, Trivy, Checkmarx KICS, LiteLLM, Telnyx Python SDK.
[Tooling / commands ] Recovery-disrupting and defense-evasion commands or filenames – vssadmin delete shadows /all /quiet, Set-MpPreference -DisableRealtimeMonitoring $true.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print