Find notable cyber news and cases, enriched with sources, timelines, and signals.

Vect RaaS affiliate recruitment and early ecosystem buildout

Threat Actor Meta
First reported
Last updated
Happening score
H score 12
1 unique sources, 2 articles

Summary

Hide ▲

Vect has moved into affiliate recruitment, marking an early-stage ransomware-as-a-service buildout that could expand its reach and victim volume. The group has already claimed victims in Brazil and South Africa, suggesting the operation is validating its model before broader scaling.

Related Happenings

Vect and TeamPCP industrialize ransomware through a supply-chain credential-theft alliance

Threat Actor Meta
H score67 First: 03.07.2026 14:30 Last: 03.07.2026 14:30 Sources 1

About this happening: **Vect** and **TeamPCP** formed a new **ransomware-as-a-service** partnership that combines **supply-chain credential theft** with extortion, expanding the risk of follow-on attac...

Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program

Threat Actor Meta
H score24 First: 11.06.2026 19:50 Last: 11.06.2026 19:50 Sources 1

About this happening: **Phantom Mantis** moved **The Gentlemen** from dependence on other ransomware ecosystems into an **independent partnership program**, expanding its operational autonomy and affil...

The Gentlemen ransomware group’s 90/10 RaaS model and rapid victim growth

Threat Actor Meta
H score26 First: 10.06.2026 17:03 Last: 10.06.2026 17:03 Sources 1

About this happening: **The Gentlemen** ransomware group has become a high-volume **RaaS** operation, using a **90/10 affiliate split** to attract operators and expand its reach. The group now ranks as...

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
H score4 First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

How related: Specifically, the researchers said that the cipher used in the ransomware encryption system is raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in the group’s initial advertisements of its product and mentioned in some threat intelligence reports.

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
H score4 First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

How related: Vect 2.0 ransomware has been found to wipes large, compromised files instead of merely encrypting them, making recovery impossible – even for the attackers.

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Timeline

  1. 03.02.2026 16:00 3 articles · 5mo ago

    Vect RaaS affiliate recruitment and early ecosystem buildout

    Initial Disclosure

    In **December 2025**, **Vect** began a recruitment push and started onboarding affiliates. The group is now using early victim activity in **Brazil** and **South Africa** to validate the ransomware operation.

    Show sources