Vect RaaS affiliate recruitment and early ecosystem buildout
Threat Actor Meta
Summary
Hide ▲
Show ▼
Vect has moved into affiliate recruitment, marking an early-stage ransomware-as-a-service buildout that could expand its reach and victim volume. The group has already claimed victims in Brazil and South Africa, suggesting the operation is validating its model before broader scaling.
Related Happenings
Vect and TeamPCP industrialize ransomware through a supply-chain credential-theft alliance
Threat Actor Meta
H score67
First: 03.07.2026 14:30
Last: 03.07.2026 14:30
Sources 1
About this happening:
**Vect** and **TeamPCP** formed a new **ransomware-as-a-service** partnership that combines **supply-chain credential theft** with extortion, expanding the risk of follow-on attac...
Vect and TeamPCP industrialize ransomware through a supply-chain credential-theft alliance
Threat Actor MetaAbout this happening: **Vect** and **TeamPCP** formed a new **ransomware-as-a-service** partnership that combines **supply-chain credential theft** with extortion, expanding the risk of follow-on attac...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
**Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor Meta
H score26
First: 10.06.2026 17:03
Last: 10.06.2026 17:03
Sources 1
About this happening:
**The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
H score4
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
How related:
Specifically, the researchers said that the cipher used in the ransomware encryption system is raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in the group’s initial advertisements of its product and mentioned in some threat intelligence reports.
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisHow related: Specifically, the researchers said that the cipher used in the ransomware encryption system is raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in the group’s initial advertisements of its product and mentioned in some threat intelligence reports.
About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
H score4
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
How related:
Vect 2.0 ransomware has been found to wipes large, compromised files instead of merely encrypting them, making recovery impossible – even for the attackers.
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityHow related: Vect 2.0 ransomware has been found to wipes large, compromised files instead of merely encrypting them, making recovery impossible – even for the attackers.
About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Timeline
-
03.02.2026 16:00 3 articles · 5mo ago
Vect RaaS affiliate recruitment and early ecosystem buildout
Initial DisclosureIn **December 2025**, **Vect** began a recruitment push and started onboarding affiliates. The group is now using early victim activity in **Brazil** and **South Africa** to validate the ransomware operation.
Show sources
- Researchers Warn of New “Vect” RaaS Variant — www.infosecurity-magazine.com — 03.02.2026 16:00
- Researchers Warn of New “Vect” RaaS Variant — www.infosecurity-magazine.com — 03.02.2026 16:00
- Critical Flaw Turns Vect Ransomware into Data Destroying Wiper — www.infosecurity-magazine.com — 29.04.2026 13:45