Vect ransomware activity with cross-platform encryption and double extortion
Malware Activity
Summary
Hide ▲
Show ▼
Security researchers say Vect is a new ransomware-as-a-service (RaaS) operation that has already claimed victims in Brazil and South Africa. Its malware targets Windows, Linux and VMware ESXi, uses ChaCha20-Poly1305 with intermittent encryption, and runs in Safe Mode to suppress security tools. The group is also using a double extortion model and recruiting affiliates, suggesting it is preparing for broader expansion.
Related Happenings
Vect and TeamPCP industrialize ransomware through a supply-chain credential-theft alliance
Threat Actor Meta
H score67
First: 03.07.2026 14:30
Last: 03.07.2026 14:30
Sources 1
About this happening:
**Vect** and **TeamPCP** formed a new **ransomware-as-a-service** partnership that combines **supply-chain credential theft** with extortion, expanding the risk of follow-on attac...
Vect and TeamPCP industrialize ransomware through a supply-chain credential-theft alliance
Threat Actor MetaAbout this happening: **Vect** and **TeamPCP** formed a new **ransomware-as-a-service** partnership that combines **supply-chain credential theft** with extortion, expanding the risk of follow-on attac...
Vect 2.0 ransomware wiper-flaw activity
Malware Activity
H score31
First: 29.04.2026 18:23
Last: 29.04.2026 18:23
Sources 1
About this happening:
The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect 2.0 ransomware wiper-flaw activity
Malware ActivityAbout this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical Analysis
H score4
First: 29.04.2026 13:45
Last: 29.04.2026 13:45
Sources 1
About this happening:
**Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vect ransomware flawed ChaCha20 implementation destroys large files
Technical AnalysisAbout this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...
Vidar infostealer market rise and distribution expansion
Malware Activity
H score30
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
H score4
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Timeline
-
03.02.2026 16:00 2 articles · 5mo ago
Vect RaaS disclosed with cross-platform ransomware and double extortion
Initial DisclosureVect is described as a new ransomware-as-a-service operation that began recruiting affiliates in December 2025, had already claimed victims in Brazil and South Africa, and used custom C++ ransomware targeting Windows, Linux and VMware ESXi with ChaCha20-Poly1305, intermittent encryption, Safe Mode execution to suppress security tools, and a double extortion model backed by TOR, Monero, and TOX-based affiliate communications.
Show sources
- Researchers Warn of New “Vect” RaaS Variant — www.infosecurity-magazine.com — 03.02.2026 16:00
- Researchers Warn of New “Vect” RaaS Variant — www.infosecurity-magazine.com — 03.02.2026 16:00