For the latest discoveries in cyber research for the week of 11th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Instructure, the US education technology company behind the Canvas learning platform, has confirmed a major data breach affecting its cloud-hosted environment. Exposed data reportedly includes student and staff records and private messages, while ShinyHunters escalated the attack by defacing hundreds of school login portals with ransom messages.
Zara, the flagship brand of Spanish fashion group Inditex, has experienced a data breach tied to a third-party technology provider. Inditex confirmed unauthorized access, and experts verified that 197,400 unique email addresses, order IDs, purchase history, and customer support tickets were exposed.
Hungarian media company Mediaworks, which operates dozens of newspapers and online outlets, was hit by a data-theft extortion attack. The company confirmed an intrusion after World Leaks posted 8.5TB of internal files online, reportedly including payroll records, contracts, financial documents, and internal communications.
Czech automaker Škoda has fallen victim to a security incident affecting its online shop after attackers exploited a software flaw to gain unauthorized access. Exposed customer data may include names, contact details, order history, and logins, but according to the company passwords payment card data was not affected.
AI THREATS
Researchers have uncovered a critical WebSocket hijacking vulnerability in Cline’s local Kanban server, impacting the widely used open‑source AI coding agent. Rated CVSS 9.7 and patched in version 0.1.66, the flaw allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands into the AI agent.
Security researchers found a flaw in Anthropic’s Claude in Chrome extension that allowed other browser extensions to hijack the AI agent. The issue enabled malicious prompts to trigger unauthorized actions and access sensitive browser-connected data, showing how AI assistants can extend browser attack surfaces.
Researchers detailed an InstallFix campaign using fake Claude AI installer pages promoted through Google Ads to infect Windows and macOS users. Victims were tricked into running commands that launched multi-stage malware, stole browser data, disabled protections, and established persistence through scheduled tasks.
VULNERABILITIES AND PATCHES
Progress alerted customers to CVE-2026-4670, a critical authentication bypass in MOVEit Automation managed file transfer software that allows unauthorized access, and CVE-2026-5174, a privilege escalation flaw. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8.
Ivanti has fixed CVE-2026-6973, a high-severity Endpoint Manager Mobile vulnerability which is exploited as a zero-day. The flaw affects EPMM 12.8.0.0 and earlier and allows attackers with administrator permissions to run remote code, while hundreds of appliances reportedly remain exposed online.
Palo Alto Networks PAN-OS Authentication Portal is affected by CVE-2026-0300, a critical buffer overflow flaw allowing unauthenticated attackers to run code with root privileges on affected firewalls. Palo Alto Networks observed active exploitation against exposed portals, with no fix available at this time.
Dirty Frag, an unpatched Linux kernel flaw, enables local privilege escalation across Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. By chaining bugs in IPsec and RxRPC, a local user can gain root access with high reliability, and public proof-of-concept code is available.
THREAT INTELLIGENCE REPORTS
Researchers linked Iran’s MuddyWater to using the Chaos ransomware as cover for espionage and data theft. In a recent case, attackers used Microsoft Teams social engineering to harvest credentials and deploy remote tools, then extorted the victim without encrypting files before leaking data.
Researchers detailed a Silver Fox campaign targeting organizations in India and Russia with tax-themed phishing emails. The activity delivered the previously undocumented ABCDoor backdoor, ValleyRAT, and related malware, affecting industrial, consulting, retail, and transportation sectors through more than 1,600 socially engineered messages.
Researchers unmasked a multi-stage phishing campaign using fake code-of-conduct emails and adversary-in-the-middle tactics to hijack sign-in sessions and bypass multi-factor authentication. Active between April 14 to 16, it targeted more than 35,000 users at 13,000 organizations across 26 countries.
Researchers profiled UAT-8302, a China-linked espionage group conducting long-term intrusions against government agencies in South America and southeastern Europe. The actors combine custom backdoors, including NetDraft and CloudSorcerer, with OneDrive and GitHub command channels and open-source tools for reconnaissance and lateral movement.
Researchers revealed a software supply chain campaign on NuGet in which five packages impersonating Chinese .NET UI libraries install an infostealer. The packages have recorded nearly 65,000 downloads, putting developer workstations and systems at risk by stealing passwords, SSH keys, and cryptocurrency wallet data.
Consolidation after peak fragmentation: The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025. The ransomware ecosystem is once again consolidating around fewer, more dominant operators.
Volume stabilization at historically high levels: There were 2,122 victims posted on data leak sites (DLS), making this period the second-highest Q1 on record. The long growth trend is stabilizing.
Qilin’s sustained dominance: Qilin maintained its position as the most prominent ransomware operation for the third consecutive quarter, posting 338 victims.
The Gentlemen is the breakout story of Q1 2026 reaching the third place on the global ransomware list, increasing their victim count from 40 victims in Q4 2025 to 166 in Q1 2026.
LockBit 5.0 comeback confirmed: LockBit posted 163 victims in Q1 2026, climbing to fourth place.
Ransomware in Q1 2026: Consolidation at Scale
During the first quarter of 2026, we monitored more than 70 active data leak sites (DLS) that collectively listed 2,122 new victims. This figure represents a 12.2% decline from the Q4 2025 all-time record of 2,416 victims but remains the second-highest Q1 on record at 117% above Q1 2024 (977 victims) and is keeping in line with the elevated baseline established through 2025.
Figure 1 – Total number of reported ransomware victims in DLS, per month (Jun 2024 – Mar 2026).
Monthly volumes within Q1 were consistently stable: in January there were 732 recorded victims, 684 in February, and 706 in March. This reflects a sustained operating rate of an average of 707 victims per month in Q1 2026.
The headline year-over-year (YoY) comparison shows a 7.1% decline from the 2,285 victims in Q1 2025. However, this comparison is misleading as the Q1 2025 numbers were heavily inflated by Cl0p’s Cleo mass-exploitation campaign which contributed approximately 390 victims in a single burst. If we exclude Cl0p from both periods, there were 1,894 victims in Q1 2025 versus 1,995 in Q1 2026, an actual YoY increase of 5.3%. The underlying growth trend in ransomware operations persists, even as the most dramatic spikes subside.
From fragmentation to consolidation
The most significant structural development seen in Q1 2026 is not the volume of attacks but the consolidation of the different operators conducting them. After two years of steady fragmentation, during which the number of active groups grew from 51 in Q1 2024 to a peak of 85 in Q3 2025 and the Top-10 share of victims fell from 68% to 57%, the ecosystem has decisively reversed course.
In Q1 2026, the top 10 groups accounted for 71.1% of all DLS-posted victims, which is the highest concentration since Q1 2024 when the ecosystem was far smaller. The number of active groups shrank from 85 to 71. Fourteen groups that were active in Q4 2025 disappeared entirely, while 21 new names appeared. However, most of the newcomers posted fewer than 10 victims, failing to take advantage of the disappearance of established mid-tier operators.
This is a common pattern repeated throughout the ecosystem’s history: law enforcement actions disrupt the ransomware market, affiliates scatter, and survivors who avoid disruption absorb the displaced talent pool and grow. Groups such as Qilin, Akira, The Gentlemen, and LockBit, who together claimed 41% of all victims in Q1, capitalized on the instability of their competitors. In Q1 2026, Qilin alone posted more victims than the combined output of the bottom 50 groups.
This dynamic carries implications beyond statistics. The consolidation of the ecosystem around fewer, more dominant operators changes its character. Larger RaaS brands invest in operational consistency, including functional decryption tools, because their business model depends on the perception that victim payment results in data recovery. In contrast, the ransomware fragmentation we saw in 2025 introduced dozens of transient operators with no such incentive to invest any effort in decryption. An example is Obscura, whose encryption bug renders files over 1 GB permanently unrecoverable regardless of payment. For defenders and incident responders, consolidation means facing fewer but more capable adversaries.
Figure 2 – Top 10 ransomware groups by number of publicly claimed victims – Q1 2026.
Notable surges and declines
Comparing the data between Q4 2025 and Q1 2026 reveals which groups are absorbing the affiliate talent pool, and which are failing to take advantage of it.
Surges:
The Gentlemen grew by 315%, going from 40 claimed victims to 166, making them the biggest story of Q1 2026, covered in detail below.
LockBit 5.0 activity increased by 106%, from 79 victims to 163.
Nightspire, a closed-group operation with OneDrive cloud encryption capability, expanded by 183% from 29 victims to 82, sustaining growth across two consecutive quarters.
Play posted a 64% increase, going from 74 victims to 121.
Declines:
SafePay fell by 77%, going from 97 victims to 22. SafePay is a centralized, non-RaaS operation whose DLS was marked inactive from mid-March 2026 through early April for unknown reasons.
Devman declined by 70%, from 82 victims to 25. The ransomware’s operator “Tramp”, a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026. All three DLS sites went offline by early February.
Sinobi dropped by 42%, from 139 victims to 80. After a strong January (56 victims), activity collapsed to just 7 victims in March. As of the time of this publication, no postings were recorded in April.
Figure 3 – Interpol’s Red Notice for Devman’s operator, Nefedov.
Actor Spotlight: The Gentlemen – The Breakout Story of Q1 2026
The Gentlemen is the most significant new ransomware operation to emerge in recent months. Going from zero victims in August 2025 to 166 in Q1 2026, the group achieved third place globally through a combination of pre-existing access stockpiles, aggressive geographic diversification, and a deliberate rejection of the traditional US-centric targeting model.
Figure 4 – The Gentlemen monthly victim trajectory, February peak: 82 victims in a single month.
Origins: A Qilin defection
The Gentlemen was founded by a threat actor known as Hastalamuerte – an experienced Qilin affiliate, who left the Qilin RaaS program following a dispute over an unpaid commission of approximately $48,000. This explains both its rapid operational capability and its sophistication: the operators started with established tradecraft, tooling, and, crucially, a stockpile of pre-compromised access.
The FortiGate stockpile
The group’s most distinctive asset is a cache of approximately 14,700 pre-exploited FortiGate devices, exploited primarily via CVE-2024-55591 (a critical authentication bypass in FortiOS/FortiProxy). In addition to the exploited devices, the operators maintain 969 validated brute-forced FortiGate VPN credentials ready for attack. This stockpile provides The Gentlemen with a supply of ready-to-use initial access tools far exceeding what typical RaaS affiliates acquire through real-time exploitation or access broker purchases.
How was this stockpile acquired? According to this report, Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin. Before creating their own RaaS platform, The Gentlemen’s operators “experimented with various affiliate models used by other prominent ransomware groups.” The 14,700-device inventory likely predates the group’s September 2025 launch. Publishing 38 victims within weeks of beginning operation strongly suggests pre-existing access in the form of a massive number of compromised devices rather than real-time exploitation.
A non-Western targeting model
The Gentlemen’s geographic distribution is a striking outlier. Only 13.3% of its victims are based in the United States, compared to the ecosystem average of 49.6%. Thailand (10.8%), Brazil (6.0%), and India (4.2%) all feature prominently on their victim list.
This may reflect the geographic distribution of exploitable FortiGate devices; the group attacks where it has pre-positioned access, and that access happens to be concentrated in APAC and Latin American networks. This is an infrastructure-driven pattern rather than a deliberate targeting strategy: the operators did not choose Thailand or Brazil based on strategic preference but are exploiting access they already have.
However, we cannot exclude a secondary factor: deliberate avoidance of US targets to reduce law enforcement risk. The Gentlemen is a Russian-speaking operation founded by an affiliate who already experienced the consequences of ransomware ecosystem disputes. The decision to exploit a globally distributed stockpile while bypassing US devices – if that is what is occurring – would represent rational risk management given the heightened US law enforcement posture.
LockBit 5.0: Making a Comeback
LockBit posted 163 victims in Q1 2026 (an increase of 106% compared to Q4 2025), climbing from outside the top 10 to fourth place globally. After an initial surge of 85 victims in January (likely to reflect the accumulation of access during the pre-launch period), activity dipped to just 33 victims in February before climbing back to 45 in March. This dip-and-recovery trajectory is characteristic of a program rebuilding its affiliate base instead of exhausting a one-time stockpile, assuming these are genuine reports and not recycled or fictional reports.
Until its takedown in early 2024, LockBit was the most dominant RaaS operation globally, responsible for 20–30% of all data-leak site victim postings. Following Operation Cronos, several arrests and data seizures disrupted the group’s infrastructure.
The new LockBit 5.0 was officially launched on the RAMP underground forum in September 2025, coinciding with the sixth anniversary of the operation. The new version introduced multi-platform support (Windows, Linux, ESXi), enhanced evasion and anti-analysis mechanisms, faster encryption routines, and randomized 16-character file extensions to disrupt signature-based detection. New affiliates were required to provide a Bitcoin deposit of approximately $500.
Geographic diversification: from US dominance to global spread
LockBit’s geographic targeting has undergone a dramatic and measurable shift since its last appearance. Historically, the United States accounted for over 50% of LockBit’s victims – consistent with the ecosystem-wide baseline. In Q1 2026, US victims represented just 21.2% of LockBit’s total, with Italy (8.6%), Brazil (8.6%), and Turkey (5.1%) picking up the slack.
The shift away from US victims is new. Despite no documented forum announcements, the circumstantial evidence is strong: the direction is specifically toward non-US and European nations or countries with less aggressive behavior toward ransomware operators such as Italy, Brazil, and Turkey. The result is a nearly 30-percentage-point (pp) drop in US-based victims, despite an overall 106% increase in victims compared to Q4 2025.
The reaction to law enforcement actions may not result in a lower overall attack volume, but operators such as LockBitSUpp appear to be trying to redirect their activity away from the enforcing jurisdictions. Whether this represents a deliberate strategic decision or an emergent consequence of attracting affiliates from different geographic backgrounds remains an open question.
DragonForce: The Cartel Model Under Pressure
DragonForce posted 101 victims in Q1 2026 (an increase of 29% compared to Q4 2025), with a steep climb from 10 victims in January to 35 in February and 56 in March. This trajectory suggests an operation gaining momentum rather than depleting stockpiled access.
DragonForce continues to distinguish itself through its public relations strategy and “cartel” branding, positioning itself as an umbrella organization for multiple sub-brands. However, our investigation indicates that the cartel model is smaller than advertised:
Devman, which split from DragonForce in July 2025, saw their victim totals collapse from 82 (Q4 2025) to 25 (Q1 2026). Twenty-four of those victims were posted in January.
Coinbase Cartel, initially reported as a DragonForce sub-brand, has been independently linked to the ShinyHunters operation by Bitdefender.
Obscura, cited as a potential cartel member, posted only around 20 victims in total.
DragonForce’s technical capabilities remain genuine with multi-platform support and the group actively recruits affiliates. Its data audit service, which analyzes stolen datasets exceeding 300 GB to identify the most valuable information for extortion leverage, represents genuine innovation in the extortion model. However, the broader cartel narrative appears to be more marketing than substance.
Geographic Distribution of Victims – Q1 2026
The geographic distribution of ransomware victims in Q1 2026 maintains the fundamental pattern established over previous quarters: the United States accounts for just under half of all reported cases (49.6%), with Western developed economies making up the clear majority of targets.
Figure 6 – Top 10 targeted countries, Q1 2026.
The most notable development is Thailand’s entry into the top 10 for the first time, driven almost entirely by The Gentlemen, for whom Thai organizations constitute 10.8% of total victims. Taiwan also rose sharply (from 8 victims to 26), while South Korea dropped out entirely. This confirms that Qilin’s Q3 2025 financial sector campaign targeting 30 South Korean organizations was a one-off event rather than a sustained targeting shift.
Per-Actor Geographic Targeting: Distinct Patterns
A per-actor analysis of the top 20 groups’ country distributions reveals that the ecosystem-level averages mask dramatically different targeting strategies. We identified six distinct geographic patterns by measuring each actor’s deviation from the 49.6% US baseline.
Pattern 1 – Extreme US focus (>75% US). These actors target the United States at rates far exceeding the ecosystem average:
Play (85.1% US) operates as a closed group with a Russia-nexus lineage and centralized target selection that consistently prefers US organizations.
Sinobi (76.2% US) explicitly targets US mid-market manufacturing and construction.
Genesis (93.1% US) whose near-exclusive US focus (27 of 29 confirmed victims) and emphasis on the Healthcare sector (20.7%) is striking for an emerging actor with no documented affiliate program.
Pattern 2 – Deliberate US avoidance (<25% US). These actors are going in the opposite direction:
Tengu (11.4% US) is the most geographically diversified actor in the top 20, with victims spread across Indonesia (8.6%), Mexico (8.6%), India (6.9%), and Italy (5.8%).
LockBit (21.5% US) represents deliberate post-disruption diversification, as discussed above.
Pattern 3 – Vulnerability related distribution:
Cl0p’s geographic anomalies (18.1% Canada and 8.7% Australia). Cl0p’s traditional mass exploitation campaigns produce victim distributions that mirror the installed base of the exploited software, in this case EBS campaign (CVE-2025-61882).
The Gentlemen (13.3% US) reflects the geographic distribution of its approximately 14,700-device FortiGate access stockpile, which is concentrated in Thailand (10.8%), Brazil (6%), and India (4.2%).
Country-Level Actor Dominance: When One Group Shapes a Nation’s Threat Profile
Flipping the analysis from “which countries does an actor target” to “which actors dominate each country” reveals an even more striking picture. Several countries’ entire ransomware threat profiles are defined by a single actor’s operational choices.
Single-actor-shaped countries:
Country
Dominant actor
Share
Thailand
The Gentlemen
53%
Argentina
Qilin
39%
Mexico
LockBit
37%
Australia
Cl0p
34%
Switzerland
Akira
31%
Brazil
LockBit
31%
Thailand’s case is the most extreme: more than half of all Thai ransomware victims are claimed by The Gentlemen. Without this single group, Thailand would not even appear in the top-10 most-attacked countries. Similarly, without Cl0p’s Oracle EBS campaign, Australia and Canada would show substantially lower victim counts. These findings underscore that country-level ransomware statistics are frequently shaped by one actor’s specific access inventory, software exploitation campaign, or strategic redirection – not by broad shifts in the threat landscape.
Multi-actor convergence countries. Two countries stand out for having three or more actors independently converging to create unusually diverse threat environments:
Turkey (23 victims): LockBit (6 victims) + DragonForce (5 victims) + The Gentlemen (5 victims), 70% of Turkey’s victim totals are due to the activity of just three actors.
Japan (21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims). = 62% of the victims are due to three distinct actors. Both The Gentlemen and Nightspire exploit the same FortiGate vulnerability (CVE-2024-55591).
Ransomware Attacks by Industry – Q1 2026
The industry distribution of ransomware victims in Q1 2026 shows continued cross-sector impact, with a few notable concentrations.
Figure 7 – Ransomware victims by industry, Q1 2026.
As with geographic patterns, ecosystem-level industry averages mask fundamentally different targeting strategies at the actor level. A per-actor analysis of the top 20 groups reveals that sector selection is driven by at least three distinct observations.
Software footprint targeting. Cl0p’s 53.5% Business Services concentration (+18.6 percentage points above baseline) does not reflect a preference for professional services firms. It reflects the user base of Oracle EBS, the enterprise application exploited in the Q1 2026 campaign. Mass exploitation campaigns produce industry distributions that mirror the deployment pattern of the exploited software. This is the same dynamic observed in Cl0p’s geographic analysis, where Canada and Australia were over-represented because of Oracle EBS adoption.
Operational disruption maximization. Akira’s targeting of Consumer Goods (23.9%, +9.8 percentage points above baseline) and Industrial Manufacturing (17.8%, +6.7 percentage points above baseline), a combined 41.7% versus the 25.1% baseline, is consistent with an economically optimized model. These sectors share high downtime costs (production lines, supply chain dependencies) and complex IT/OT environments that make recovery without decryption keys extremely difficult. With $244 million in total proceeds and a 34% share of IR engagements, Akira’s sector selection reflects deliberate targeting of firms where the pressure to pay is greatest. This is not opportunistic; it’s the Conti lineage playbook applied to the sectors where it generates the highest return per incident.
Anubis stands apart from all other top-20 actors in its willingness to target healthcare (13.0%, +8.3 percentage points above baseline) and critical infrastructure (8.7%, +7.7 percentage points above baseline).
Conclusion
In Q1 2026, the ransomware ecosystem entered a new phase. After two years of steady fragmentation, the market is reconsolidating around a smaller number of dominant operators. Qilin, Akira, The Gentlemen, and LockBit together account for 41% of all victims. Domination by the top-10 actors has returned to levels not seen since early 2024.
This consolidation is not a return to the previous state. The emerging dominant groups are more technically capable, more geographically diversified, and more resilient to disruption than their predecessors. At the same time, the economic foundations of ransomware are showing signs of stress. Payment rates have fallen to historic lows. Mass data-theft campaigns are generating diminishing returns. The gap between the growing number of DLS-posted victims (2,122 in Q1 2026) and the declining monetization per victim may accelerate the current consolidation squeezing out operators who cannot achieve sufficient scale or sophistication to remain profitable.
For the latest discoveries in cyber research for the week of 4th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Medtronic, a global medical device maker, has disclosed a cyberattack on its corporate IT systems. An unauthorized party accessed data, while the company reported no impact on products, operations, or financial systems. Threat group ShinyHunters claimed the theft of 9 million records, and Medtronic is evaluating what data was exposed.
Vimeo, a global video hosting platform, has confirmed a data breach stemming from a compromise at analytics vendor Anodot. Exposed data included internal operational information, video titles and metadata, and some customer email addresses, while passwords, payment data, and video content were not accessed.
Threat actors have abused the account creation process of the online trading platform Robinhood to launch a phishing campaign that used emails from Robinhood official mailing account. The emails contained links to phishing sites and passed security checks. Robinhood stated that no accounts or funds were compromised and has since removed the vulnerable “Device” field.
Trellix, a major endpoint security and XDR vendor, was hit by a source code repository breach after attackers accessed a portion of its internal code. The company engaged forensic experts and law enforcement and claims it has found no evidence of product tampering, pipeline compromise, or active exploitation so far.
AI THREATS
Researchers pinpointed CVE-2026-26268, a flaw in Cursor’s coding environment that enables remote code execution when its AI agent interacts with a cloned malicious repository. The attack chains Git hooks and bare repositories to run attacker scripts, risking exposure of source code, tokens, and internal tools.
Researchers exposed Bluekit, a phishing-as-a-service platform that bundles 40-plus templates and an AI Assistant using GPT-4.1, Claude, Gemini, Llama, and DeepSeek. The AI-assisted toolkit centralizes domain setup, realistic login clones, anti-analysis filters, real-time session monitoring, and Telegram-based exfiltration.
Researchers demonstrated an AI-enabled supply chain attack in which Anthropic’s Claude Opus co-authored a code commit that introduced PromptMink malware into an open-source autonomous crypto trading project. The hidden dependency siphoned credentials, planted persistent SSH access, and stole source code, enabling wallet takeover.
VULNERABILITIES AND PATCHES
Microsoft has fixed a privilege escalation flaw in Microsoft Entra ID that allowed the Agent ID Administrator role for AI agents to take over any service account. Researchers published a proof-of-concept showing attackers could add credentials and impersonate privileged identities.
cPanel has addressed CVE-2026-41940, a critical authentication bypass in cPanel and WHM that is being actively exploited in the wild as a zero-day, and allows full administrative control without credentials. Patches were issued on April 28, and Shadowserver observed 44,000 internet addresses scanning or attacking decoy systems.
Check Point IPS provides protection against this threat (cPanel Authentication Bypass (CVE-2026-41940))
Google has released patches for a critical code execution flaw in the Gemini CLI and its GitHub Action that allowed outsiders to run commands on build servers in CI/CD pipelines. The issue automatically trusted workspace files during automated jobs, allowing malicious pull requests to trigger code execution.
LiteLLM proxy versions 1.81.16 to 1.83.6 are affected by CVE-2026-42208, a critical SQL injection flaw used to manage large language model API keys. Attackers can read and potentially alter the proxy database, with exploitation attempts observed about 36 hours after disclosure.
Check Point IPS provides protection against this threat (LiteLLM SQL Injection (CVE-2026-42208))
THREAT INTELLIGENCE REPORTS
Check Point Research has revealed that the VECT 2.0 ransomware effectively acts as a data wiper across Windows, Linux, and ESXi. A critical encryption mistake discards required decryption information for files larger than 128 KB, making recovery impossible even after payment.
Check Point Threat Emulation and Harmony Endpoint provide protection against this threat
Researchers analyzed a Mirai-based botnet campaign targeting Brazilian internet providers, abusing TP-Link Archer AX21 routers via CVE-2023-1389 and open DNS servers for high-volume amplification attacks. Leaked files linked control activity to infrastructure and SSH keys associated with DDoS mitigation firm Huge Networks.
Researchers uncovered a large-scale phishing campaign, dubbed AccountDumpling, that abuses Google AppSheet email services to hijack Facebook accounts. The operation was linked to Vietnam based attackers and is using cloned support pages, reward lures, and live 2FA collection, compromising over 30,000 users and monetizing stolen access through Telegram.
Researchers documented a TeamPCP supply chain campaign that compromised four SAP npm packages used in cloud development workflows. The malicious installers harvested developer and cloud credentials across GitHub, npm, and major providers, enabling propagation and downstream compromises before the packages were removed.
Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them. A critical flaw in the encryption implementation, identical across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file above 131,072 bytes (128 KB). Full recovery is impossible for anyone, including the attacker. At a threshold of only 128 KB, this effectively makes VECT a wiper for virtually any file containing meaningful data, enterprise assets such as VM disks, databases, documents and backups included. CPR confirmed this flaw is present across all publicly available VECT versions.
The cipher is misidentified in public reporting. VECT uses raw ChaCha20-IETF (RFC 8439) with no authentication, not ChaCha20-Poly1305 AEAD as claimed in several widely cited threat intelligence reports (and VECT’s initial advertisement). There is no Poly1305 MAC and no integrity protection.
Advertised encryption speed modes are not implemented. The --fast, --medium, and --secure flags present across Linux and ESXi variants are parsed and then silently ignored. Every execution applies identical hardcoded thresholds regardless of operator selection.
Three platforms, one flawed engine: Windows, Linux, and ESXi variants share an identical encryption design built on libsodium, with the same file-size thresholds, the same four-chunk logic, and the same nonce-handling flaw throughout, confirming a single codebase ported across platforms.
Professional facade, amateur execution: beyond the nonce flaw, CPR identified multiple additional bugs and design failures across all variants, from self-cancelling string obfuscation and permanently unreachable anti-analysis code, to a thread scheduler that actively degrades the encryption performance it meant to improve.
Background
VECT Ransomware is a Ransomware-as-a-Service (RaaS) program that made its first appearance in December 2025 on a Russian-language cybercrime forum. After claiming their first two victims in January 2026, the group got back into the public eye due to an announcement of a partnership with TeamPCP, the actor behind several supply-chain attacks in March 2026. These attacks injected malware into popular software packages such as Trivy, Checkmarx’ KICS, LiteLLM and Telnyx, affecting a large base of downstream consumers. Shortly after these attacks made headlines, VECT made a post on BreachForums, announcing their partnership with TeamPCP, with the goal to exploit the companies affected by those supply chain attacks.
Figure 1: Announcement of partnership with BreachForums and TeamPCP.
In addition, VECT announced a partnership with BreachForums itself, promising that every registered forum user will become an affiliate and thus be able to use the VECT ransomware, negotiation platform and leak site for operations. Traditionally, most ransomware groups allow affiliates to join either based on reputation or through paying a fee. As of April 2026, this partnership is in full effect:
Figure 2: Partnership release page on BreachForums.
Figure 3: Distribution of access keys to all members of BreachForums via a forum private message.
While these actions show an ambitious project, the group’s current leak site only lists two victims, both originating from the TeamPCP supply chain attacks:
Figure 4: VECT darknet leak site.
The VECT Ransomware is written in C++ and, with version 2.0 released in February 2026, VECT supports Windows and Linux hosts as well as ESXi hypervisors. The group claims to have built all three lockers from scratch. Additionally, a forum post mentions that dedicated “Cloud Lockers”, likely targeting various cloud storage services, will be made available for affiliates that will prove their skills through a quiz or puzzle challenge in the near future.
Introduction: Ransomware Analysis Overview
Through an account on BreachForums, Check Point Research got access to the panel and ransomware builder. Here, an affiliate has the option to build three different payloads: Windows, Linux and ESXi (as well as a dedicated tool for data exfiltration, which is not yet available at the time of writing):
Figure 5: VECT builder panel.
Check Point Research analyzed all three payloads, uncovering various flaws and oversights – revealing that, behind the professional facade, VECT ransomware is not a technically sophisticated service.
Ransomware Cross-Platform Overview
As detailed in the following sections, VECT 2.0 targets Windows, Linux, and VMware ESXi through three distinct variants built on a shared codebase. While platform-specific disruption logic differs, the core encryption engine is identical across all three, a design decision that ensures the flaw described in the next section affects every supported platform equally.
All three variants are statically compiled C++ executables embedding the libsodium cryptographic library, accept operator-supplied command-line flags, support lateral movement, and produce an identical on-disk encrypted file format. The table below summarizes the key properties across all three variants.
Property
Windows
Linux
ESXi
Architecture
PE64 (x86-64)
ELF64 (x86-64)
ELF64 (x86-64)
Toolchain
MinGW-w64 / C++
GCC / C++
GCC / C++
Crypto library
libsodium (static)
libsodium (static)
libsodium (static)
Cipher
ChaCha20-IETF (RFC 8439)
ChaCha20-IETF (RFC 8439)
ChaCha20-IETF (RFC 8439)
Key size
32 bytes
32 bytes
32 bytes
Nonce size
12 bytes
12 bytes
12 bytes
Small file threshold
131,072 bytes
131,072 bytes
131,072 bytes
Large file chunks
4
4
4
Chunk offset formula
file_size / 4 × index
file_size / 4 × index
file_size / 4 × index
Max chunk size
32,768 bytes
32,768 bytes
32,768 bytes
Nonces written to disk
1 (last chunk only)
1 (last chunk only)
1 (last chunk only)
Encrypted extension
.vect
.vect
.vect
Ransom note filename
!!!READ_ME!!!.txt
!!!READ_ME!!!.txt
!!!READ_ME!!!.txt
Default target path
All drives
/
/vmfs/volumes
Lateral movement
WMI / DCOM / SMB / SC / Schtasks / PSRemoting
SSH / SCP
SSH / SCP
Geofencing / CIS bypass
No
Yes (locale + timezone)
Yes (locale + timezone)
Anti-debug
Process scan + kernel object query
TracerPid check
TracerPid check
Encryption mode flags
N/A
Parsed, not implemented
Parsed, not implemented
Nonce Flaw – “Large File” Destruction
Correct Cryptographic Identification
Before describing the flaw, a correction to existing public reporting is warranted. Several published analyses describe VECT’s encryption as ChaCha20-Poly1305 AEAD. This is incorrect as we confirmed that all three versions (Windows, Linux, ESXi) use the raw, unauthenticated ChaCha20 stream cipher in its IETF variant (RFC 8439) via libsodium’s crypto_stream_chacha20_ietf_xor. The _ietf designation refers specifically to the standardized 96-bit (12-byte) nonce and 32-bit counter parameterization distinct from Bernstein’s original 64-bit nonce form.
The ChaCha20-Poly1305 AEAD construction appends a 16-byte Poly1305 authentication tag to each ciphertext. No such tag exists in any VECT-encrypted file. The on-disk format contains only raw ciphertext followed by a 12-byte nonce – no MAC, no integrity protection, no authenticated encryption of any kind.
Figure 6: VECT’s per-chunk encryption helper – 12-byte nonce is generated by randombytes() and passed directly into crypto_stream_chacha20_ietf_xor.
This misattribution likely stems from researchers trusting the threat actors’ own initial forum advertisement where VECT themselves incorrectly named the encryption scheme they use.
Figure 7: VECT initial forum advertisement – incorrect naming of the encryption scheme.
Overview
All three VECT 2.0 variants share a critical implementation flaw that causes any file larger than 131,072 bytes (128 KB, smaller even than a simple document) to be permanently and irrecoverably destroyed rather than encrypted for later decryption. The malware encrypts four independent chunks of each ”large file” using four freshly generated random 12-byte nonces, but appends only the final nonce to the specific encrypted file on disk. The first three nonces, each required to decrypt its respective chunk, are generated, used, and silently discarded. They are never stored on disk, in the registry, or transmitted to the operator.
Because ChaCha20-IETF requires both the 32-byte key and the exact matching 12-byte nonce to reverse each chunk, the first three quarters of every large file are unrecoverable by anyone including the ransomware operator who cannot provide a working decryption tool even after ransom payment. Since the vast majority of operationally critical files exceed this “large-size” threshold, VECT 2.0 functions in practice as a data wiper with a ransomware facade.
Small File Processing
For files not exceeding131,072 bytes (128 KB), the entire content is encrypted in a single pass. One 12-byte nonce is generated, used to encrypt the full file in-place, and appended to the end of the file. The resulting on-disk layout is:
For this size class, the format is internally consistent and the appended nonce is sufficient to reverse the single encryption pass. These files are fully decryptable.
Figure 8: Small file processing (single ChaCha20-IETF pass, 12-byte nonce appended at EOF).
Large File Processing – The Flaw
For files exceeding 131,072 bytes (128 KB), VECT divides the file into four chunks at quarter-file offsets derived from the file size:
Quarter size: file size divided by 4
Chunk start offsets:0, ¼, ½, ¾ of the file
Chunk size per offset: up to 32,768 bytes (32 KB), or the remaining file length if shorter
The encryption loop processes each chunk in sequence. The per-chunk encryption helper is called once per iteration and on every call it generates a fresh cryptographically random 12-byte nonce via libsodium’s randombytes(), writing it into a single shared output buffer passed by the caller.
Figure 9: The per-chunk encryption helper.
Because all four calls receive the same buffer address, each new nonce overwrites the previous one. After the loop completes, only the nonce from the fourth/final chunk remains in the buffer and this is the only nonce appended to the file.
Figure 10: Large file processing (4 chunks encrypted with 4 unique nonces; a single nonce appended at EOF).
The three discarded nonces are outputs of randombytes() (which on Windows internally resolves to SystemFunction036 / RtlGenRandom in advapi32.dll, forwarding to ProcessPrng in bcryptprimitives.dll; on Linux and ESXi it reads from the kernel CSPRNG via getrandom() or /dev/urandom through libsodium’s safe_read()), cryptographically unpredictable values that are never stored anywhere after the buffer is overwritten. There is no sidecar file, no registry entry, and no network exfiltration of nonce material in any of the three variants.
Cross-Platform Confirmation
The flaw is structurally identical across all three platform variants. In each case, the per-chunk encryption helper generates a fresh random nonce on every call and writes it into the same caller-supplied 12-byte buffer; all four iterations of the loop share this buffer; and a single 12-byte write to the end of the file follows the loop.
The ESXi variant also performs a zero-block check before each encryption call, where chunks consisting entirely of zero bytes are skipped (an optimization for sparse VMDK files). This does not affect the nonce flaw; the shared buffer is still overwritten on each non-skipped call and only the final surviving nonce reaches disk.
The flaw predates VECT 2.0. CPR’s analysis of an older ESXi variant identified in the wild prior to the 2.0 release confirms the identical four-chunk loop, quarter-offset calculation, shared nonce buffer, and single EOF nonce write – unchanged from the operator’s first publicly observed deployment through every known release.
Impact
File region
Nonce on disk
Recoverable
Small file ≤ 128 KB – full content
Yes – appended at EOF
Fully
Large file – chunk at offset 0 (up to 32 KB)
No
Permanently lost
Large file – chunk at offset ¼ (up to 32 KB)
No
Permanently lost
Large file – chunk at offset ½ (up to 32 KB)
No
Permanently lost
Large file – chunk at offset ¾ (up to 32 KB)
Yes – appended at EOF
Last chunk only
Large file – all bytes outside the four chunks
N/A – not encrypted
Plaintext, unchanged
Files commonly exceeding 128 KB span virtually everything from typical office documents, spreadsheets, and images to virtual machine disk images, database files, archives, and backups – precisely those most critical to business continuity and most targeted by ransomware operators. For this dominant file class, VECT 2.0 cannot function as recoverable ransomware; it is operationally a data wiper. Victims who pay the ransom cannot receive a functional decryptor for their most critical files – not because the operator is uncooperative, but because the nonces required for decryption no longer exist.
Windows Locker
The Windows variant targets local, removable, and network-accessible storage, renames encrypted files with the .vect extension, drops a ransom note and a branded desktop wallpaper, and executes defense-evasion, persistence, and lateral-movement routines. Of particular note is a comprehensive anti-analysis suite targeting 44 specific security and debugging tools, alongside a safe-mode persistence mechanism and multiple remote-execution methods for lateral spread.
Command-Line Interface and Default Behavior
The locker exposes the following operator options:
-h, --help Help
-v, --verbose Verbose output
-p, --path <dir> Target specific path
-c, --creds <b64> Override credentials
--gpo Enable GPO spread (default: on)
--no-gpo Disable GPO spread
--mount Enable network mount (default: on)
--no-mount Disable network mount
--stealth Enable self-delete (default: on)
--no-stealth Disable self-delete
--force-safemode Force safemode boot
Figure 11: VECT 2.0 Windows version – command-line arguments processing.
GPO spread, network mounting, and self-deletion are all on by default. An operator deploying without flags, for example via Group Policy or a remote execution primitive, activates the full impact chain automatically, including spread, hidden volume access, and post-execution cleanup.
File Encryption and Renaming
Each target file is renamed to append .vect before encryption. The file is then opened in-place and encrypted using the ChaCha20-IETF scheme described in the preceding section. The nonce flaw applies identically: files larger than 131,072 bytes (128 KB) lose the first three chunk nonces permanently, thus resulting in large file destruction rather than encryption.
The encryption engine spawns worker threads in a fixed 1:7 scanner-to-encryptor ratio derived from a CPU-count-tiered multiplier: ×8 for machines with up to 4 CPUs, ×6 for 5-8 CPUs, and ×4 beyond that, hard-capped at 256 total. On a typical 8-CPU target, this produces 6 scanner and 42 encryptor threads simultaneously competing for the same disk I/O channels – overkill by any measure, and a thread count that would make any seasoned ransomware developer laugh. Families like LockBit cap their pools at 1-2× CPU count for good reason; spawning six times as many threads as there are CPUs does not encrypt files faster; it simply means the operating system spends more time switching between threads than doing useful work. This is a textbook mistake made by developers who read about parallelism but skipped the part about profiling. The fact that it is shipped in a supposedly operational ransomware tool speaks volumes about the maturity of whoever is behind this project.
Figure 12: VECT 2.0 Windows version – 48 threads for 8-CPU target.
Ransom Note and Wallpaper
After encrypting each drive target, the locker drops !!!READ_ME!!!.txt, assembled from multiple decoded string fragments (see the ransom note in the Appendix). Then, it generates a replacement desktop wallpaper (dvm3_wall.bmp) that carries the VECT 2.0 brand banner, as shown in the image below.
Figure 13: The desktop wallpaper used by the VECT 2.0 Windows locker version.
Target Selection and Exclusions
Drive enumeration covers logical drives and network-mapped resources. The file selection logic skips the following to leave the operating system functional enough for the victim to access the payment portal:
Excluded directories:Windows, Windows.old, Boot, $Recycle.Bin, System Volume Information, Program Files, Program Files (x86), ProgramData
These represent the builder defaults; affiliates may configure additional exclusions at sample generation time.
Process and Service Disruption
When running with elevated privileges, the locker stops services via the Windows Service Control Manager and terminates the following processes to release file handles before encryption begins: sql.exe, oracle.exe, mysqld.exe, excel.exe, winword.exe, outlook.exe, firefox.exe, thunderbird.exe.
Unlike typical RaaS offerings where affiliates can customize kill lists, this list is hardcoded by the builder and cannot be modified at sample generation time.
Persistence and Safe-Mode Preparation
When --force-safemode is active, the locker executes bcdedit /set {default} safeboot minimal to configure the next boot into minimal safe mode, then writes its own executable path into the Windows registry under the safe-boot service load path with value "Service". This ensures the locker runs on the subsequent safe-mode boot, where the majority of security products are disabled. After completing execution, the boot configuration entry is removed to avoid persistent boot loops. Task Manager is also disabled via the registry for the duration of execution.
Lateral Movement
The locker contains multiple encoded remote-execution script templates enabling propagation to additional Windows hosts using operator-supplied credentials (--creds). Methods include: admin share file copy, Windows Credential Manager storage via cmdkey, WMI execution, DCOM/MMC application instantiation, remote scheduled task creation, remote service installation via sc.exe, and PowerShell remoting. Host discovery combines Windows domain enumeration with a local subnet sweep using network adapter information.
Anti-Analysis
The Windows variant implements three layered analyst-environment detection mechanisms. All three detection mechanisms are present in compiled form but are never invoked. The cross-reference analysis confirms zero call sites reach any of the three functionalities in this build. This is consistent with a conditional compilation flag that was left disabled at build time, and represents a meaningful gap: an analyst running this sample under any of the targeted tools will not trigger any evasive response.
No code obfuscation is applied, although the most operator-facing strings are concealed using a rotating 64-bit XOR scheme: each byte is XORed against the corresponding byte of a fixed 64-bit key, cycling through all eight key bytes.
Figure 14: An example XOR-based string decryption (Windows locker).
Running-process scan A full process snapshot is taken and each process name is compared against a hardcoded list of 44 analysis tools (originally 47, but we removed the duplicates), covering debuggers, import reconstructors, PE utilities, process monitors, network sniffers, and sandbox controllers (the full list of detected tools can be found in the Appendix section).
Figure 15: Detection of 44 analysis tools.
Parent process check The parent process image path is retrieved and matched against a list of debugging environments: devenv, windbg, x64dbg, x32dbg, ollydbg, ida. A process launched from any of these is treated as running under analysis.
Kernel debug-object query The Windows native API NtQueryInformationProcess is resolved dynamically from ntdll.dll at runtime avoiding static import detection and queried for the ProcessDebugObjectHandle information class. A non-null return indicates an attached debugger.
Defense Evasion and Cleanup
Action
Method
Disable Windows Defender
Set-MpPreference via PowerShell disables realtime, behavior, IOAV, and script scanning
Delete shadow copies
vssadmin delete shadows /all /quiet
Clear event logs
wevtutil cl Application, Security, System, Windows PowerShell
Delete PowerShell history
PSReadLine\\ConsoleHost_history.txt
Delete recent file entries
%APPDATA%\\Microsoft\\Windows\\Recent\\*
Self-delete
Delayed cmd /c with ping stall followed by forced deletion
ESXi Locker – The Hypervisor Ransomware
The ESXi variant of the VECT ransomware targets VMware ESXi hypervisors and employs geofencing and anti-debugging before disrupting various system services, wiping logs, and encrypting victim files, defaulting to the VMware File System mount point at /vmfs/volumes. The malware also supports SSH-based lateral movement, where the ransomware tries to use available credentials to connect to known SSH hosts.
Anti-Analysis and Geofencing
Before executing any malicious code, the ransomware employs two simple anti-analysis checks: First, it checks if it is running in a CIS state, and if so, exits without encryption. The malware runs timedatectl and compares the time zones against a blacklist and checks the LANG and LC_ALL environment variables, validating that the country code does not match one of the excluded countries.
Figure 16: Country code blacklist.
Before 2022 CIS checks were very common in RaaS malware. During the start of the Russo-Ukrainian war, most RaaS programs removed Ukraine from the CIS countries list. During recent years these checks have been largely removed from ransomware. VECT including such checks and even adding Ukraine to the list of exclusions is rather uncommon. Check Point Research has two theories regarding this observation: either this code was AI generated, where LLMs were trained with Ukraine being part of CIS or VECT used an old code base for their ransomware.
Additionally to these checks, the malware probes for the presence of a debugger by checking the value of TracerPid in /proc/self/status, exiting if any tracing process is found.
To obfuscate from basic static analysis, the authors decided to implement strings as stack strings. Some strings, most notably the different command line options, are additionally XORed with a single byte key:
Figure 17: XOR encrypted command line switches (ESXi variant).
Command-Line Interface and SSH lateral movement
The following command line options are available:
--path <dir> Target directory (default: /vmfs/volumes)
--spread Enable SSH lateral movement
--fast Fast mode: encrypt only 1MB
--medium Medium mode: encrypt 4 parts (64MB each)
--secure Secure mode: encrypt 100% (default)
--no-kill-vms Don't kill running VMs (encrypt only)
--verbose Enable verbose output
--help Show this help message
Operators can seemingly decide between three different encryption methods, --fast, --medium, and --secure, to find a tradeoff between speed and thoroughness of the encryption – however, the ransomware does not actually implement these different modes – the code parses them into variables, but they are never read back. Every execution, regardless of operator-selected flag, applies the same hardcoded thresholds: 131,072-byte large-file boundary and 32,768-byte maximum chunk size. The same goes for the Linux variant we describe further below.
If the --spread option is supplied, the malware tries to spread laterally like an SSH based worm:
All readable keys from the home and /root directories are extracted
/etc/ssh/ssh_config and ~/.ssh/config are read and parsed for any hostnames and corresponding usernames
All known_hosts files are zeroed out to avoid any host-key warnings
For each host, the locker tries to connect with each of the collected usernames as well as a hardcoded list of common usernames
If a connection succeeds, the malware copies itself over via scp and executes itself via ssh
Service Disruption, Log Wiping and Encryption
Before running any encryption, the malware makes sure to shut down any services that could hold any file locks or could otherwise interfere with the process. It starts by disabling the ESXi firewall via the esxcli utility, as well as specific firewall rulesets and shutting down various ESXi health monitoring processes:
Figure 18: The esxcli commands to disable the firewall and rulesets.
Afterwards, it proceeds with shutting down other services and processes, like databases, backup tools, Hypervisor related services and security products. Shutdown is either attempted gracefully, via systemctl stop and service stop, or aggressively via pkill -9 and systemctl disable --now . A full list of targeted services can be found in the Appendix.
To remove any locks from virtual machine disk files, the VECT locker invokes various legitimate administration utilities to shut down any running virtual machines. However, contrary to its name, the locker not only targets ESXi but also other common Hypervisors:
Tool
Hypervisor targeted
vmware-cmd / vmrun
VMware products
VBoxManage
Oracle VirtualBox
virsh
libvirt / KVM / QEMU
esxcli
VMware ESXi
xm / xl
Xen Hypervisor
Next, various shell history files and logs in /var/log are removed or zeroed-out. This includes logs from hypervisors, container services, databases, web servers, audit logs or other system logs and journals (see the Appendix for a complete list).
After this prelude, the actual encryption process is kicked off: If no path is supplied, the default path of /vmfs/volumes is used, which is the default VMware File System (VMFS) mount point for all datastores. In a multi-threaded process, each datastore is searched for files to encrypt. The ransomware maintains a sensible blacklist, which excludes several directories hosting mainly executables, system files or config files:
Again, the thread count is chosen rather excessively, by multiplying the amount of CPU cores by 4, clamping the value between a minimum of 32 and a maximum of 256.
By sharing a codebase with the other versions, see encryption process is the same and contains the same flaw in its implementation: it only includes the latest nonce when chunk-processing a big file:
Figure 19: Encryption flaw (ESXi version).
Finally, if the malware was configured to do so, the ransom note is dropped to /home, /root and /tmp, as well as in various system paths:
Path
Purpose
/etc/motd
Login banner (message of the day)
/etc/issue
Pre-login system banner
/etc/issue.net
Network login banner
/etc/profile.d/vector_notice.sh
Shell script displaying the note, ran on shell login
Linux Locker
The Linux version is built on the same codebase as the ESXi and implements a subset of its functionality. This becomes apparent when comparing the execution flow of the main functions side-by-side:
Figure 20: Execution flow ESXi locker (left) vs. Linux locker (right).
Just like the ESXi version, the malware first kills any services and processes that could interfere with the encryption, shuts down any VMs (interestingly also including ESXi VMs) and wipes system logs and shell history files. Then, encryption is started, with the system root / as the default path and ransom notes are written to disk. The Linux locker, just like its ESXi counterpart, supports the --spread SSH lateral movement functionality. Due to the shared codebase, the locker also fails to save the first three nonces when encrypting large files, making fill recovery of big files impossible.
The Linux version also has another oversight in the implementation of the encryption. Just like in the ESXi locker, the command line flags are supposed to be encrypted, but the authors accidentally designed a double XOR encryption scheme, which cancels out the encryption and leads to plain text strings being present in the binary:
Figure 21: Double XOR “encryption”.
On a side note, even the ASCII art is broken because the developers forgot to escape the backslash characters:
Figure 22: Broken ASCII art.
Conclusion
VECT 2.0 presents an ambitious threat profile with multi-platform coverage, an active affiliate program, supply-chain distribution via the TeamPCP partnership, and a polished operator panel. In practice, the technical implementation falls significantly short of its presentation.
Check Point Research’s analysis reveals that the ransomware’s encryption flaw is not a minor edge case but a fundamental design error affecting virtually every file of consequence. At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary.
The nonce-handling bug is identical across all three platform variants and as confirmed through analysis of an earlier variant identified in the wild prior to the VECT 2.0 release, has been present since the operator’s first publicly observed deployment. It has never been corrected. Victims who pay the ransom cannot receive a working decryptor for their largest files, not through operator deception, but because the information required for decryption was irrecoverably destroyed at the moment of encryption. An overly aggressive thread scheduler that actively harms encryption throughput, and three fully compiled but permanently unreachable anti-analysis routines, further reinforce this assessment: the authors know what features a professional ransomware tool should have, but demonstrably struggled to implement them correctly or at all.
Beyond the nonce flaw, CPR identified a pattern of incomplete implementation: advertised encryption modes that are parsed but never applied, string obfuscation routines that accidentally cancel themselves out, and a cipher incorrectly described in public reporting. Together these findings paint a picture of a group with operational ambition, reflected in the BreachForums open-affiliate model and the TeamPCP supply-chain campaign, but with cryptographic and software engineering maturity that does not match the scale of the operation they are attempting to run.
The announcement of forthcoming “Cloud Lockers” and the low technical barrier introduced by the open-affiliate model both warrant continued monitoring. As CPR has demonstrated, the current implementation has severe limitations but those can be corrected in a future version, and the distribution infrastructure to deploy such a version at scale already exists.
Protections
Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file types, and operating systems and protect against the attacks and threats described in this report.
!!! README !!!
===============
::: ::: :::::::::: :::::::: :::::::::::
:+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+
+#+ +:+ +#++:++# +#+ +#+
+#+ +#+ +#+ +#+ +#+
#+#+#+# #+# #+# #+# #+#
### ########## ######## ###
===============
Dear Management, all of your files have been encrypted with ChaCha20 which is an unbreakable encryption algorithm.
Sadly, this is not the only bad news for you. We have also exfiltrated your sensitive data, consisting mostly of databases, backups and other personal information
from your company and will be published on our website if you do not cooperate with us.
The only way to recover your files is to get the decryption tool from us.
To obtain the decryption tool, you need to:
1. Open Tor Browser and visit: <http://vectordntlcrlmfkcm4alni734tbcrnd5lk44v6sp4lqal6noqrgnbyd.onion/chat/REDACTED>
2. Follow the instructions on the chat page
3. Receive a sample decryption of up to 4 small files
4. We will provide payment instructions
5. After payment, you will receive decryption tool
WARNING:
- Do not modify encrypted files
- Do not use third party software to restore files
- Do not reinstall system
If you violate these rules, your files will be permanently damaged.
Files encrypted: [N]
Total size: [size] bytes
Unique ID: REDACTED
Backup contact (Qtox): 1A51DCBB33FBF603B385D223F599C6D64545E631F7C870FFEA320D84CE5DAF076C1F94100B5B
For the latest discoveries in cyber research for the week of 27th April, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Vercel, a frontend cloud platform, has disclosed a security incident linked to a compromise at Context.ai, where stolen OAuth tokens enabled unauthorized access through a connected app. The company reported access to employee information, internal logs, and a subset of environment variables, while stating that the most sensitive secrets were not included.
France Titres, France’s authority for identity and registration documents, has detected a data breach on April 15. The incident may have exposed names, birth dates, email addresses, login IDs, and some physical addresses and phone numbers. A hacker has offered purported agency data for sale on the dark web.
UK Biobank, a UK research organization, has confirmed a breach after de-identified health data on 500,000 volunteers was advertised for sale on Chinese marketplaces. Officials said listings were removed and believed unsold, while access was suspended, the research platform was shut down, and download limits were imposed.
Bitwarden, a popular password manager, has suffered a supply-chain attack after a malware-tainted CLI release was published to npm on April 22. Bitwarden said 334 developers installed version 2026.4.0 during a brief window, potentially exposing credentials after a hijacked GitHub account was abused, while vault data remained unaffected.
AI THREATS
Researchers have flagged unauthorized access to Anthropic’s Claude Mythos Preview, an unreleased AI cyber model, through a third-party vendor environment. A small Discord group reportedly used shared contractor accounts, API keys, and predictable URLs to reach the system. Anthropic said it is investigating and has not seen impact to core systems.
Researchers observed Bissa Scanner, an AI-assisted exploitation platform using Claude Code and OpenClaw to support mass scanning, exploitation, and credential harvesting. The focus of the operation was exploitation of React2Shell (CVE-2025-55182), while it scanned millions of targets, confirmed over 900 compromises, and collected tens of thousands of exposed environment files.
Researchers highlighted a prompt-injection exploit chain in Google’s Antigravity agentic IDE that enabled sandbox escape and remote code execution. The flaw abused a file search tool that ran before security checks, letting attackers convert a benign prompt into system compromise, even in Secure Mode. The vulnerability was patched by Google.
VULNERABILITIES AND PATCHES
Microsoft issued out-of-band fixes for CVE-2026-40372, a critical ASP.NET Core privilege escalation flaw rated 9.1. A bug in Data Protection versions 10.0.0 to 10.0.6 could let attackers forge cookies and antiforgery tokens, impersonate users, and gain SYSTEM-level access on Linux or macOS deployments.
Apple released fixes for CVE-2026-28950 in iOS and iPadOS, a Notification Services bug that retained deleted alerts and allowed recovery of sensitive message previews. The flaw affected many iPhone and iPad models, enabled forensic access with device possession and allegedly allowed law enforcement agencies access to incoming messages from encrypted messaging apps.
LMDeploy is affected by CVE-2026-33626, a high-severity server-side request forgery flaw in the open-source toolkit for deploying large language models. Active exploitation began within 13 hours of disclosure, with attackers abusing the image loader to reach cloud metadata, probe internal services, and support lateral movement.
End of life D-Link DIR-823X routers are affected by CVE-2025-29635, a remote code execution flaw exploited to deploy a Mirai-based botnet. Akamai reported that attackers are sending requests which fetch and run scripts to conscript devices for denial of service attacks, with no patches expected for the affected models.
Check Point IPS provides protection against this threat (D-Link DIR-823X Command Injection (CVE-2025-29635))
THREAT INTELLIGENCE REPORTS
Check Point Research has analyzed The Gentlemen ransomware-as-a-service operation, a group that emerged in 2025 and offers encryptors for Windows, Linux, NAS, BSD, and ESXi systems. The report details its underground recruitment, leak site model, Tox-based negotiations, and SystemBC proxy infrastructure used for persistence and access.
Researchers mapped a Mustang Panda espionage campaign targeting India’s banking sector and South Korean policy circles, deploying the updated LOTUSLITE backdoor. The group used HDFC-themed help files and fake banking pop-ups, and leveraged DLL sideloading to install the malware.
Researchers uncovered a supply-chain attack that inserted credential-stealing malware into Checkmarx developer tools on Docker Hub and Visual Studio Code, including KICS images downloaded over five million times. The malware collects cloud and developer credentials and spreads through stolen GitHub tokens and workflows, with TeamPCP suspected.
Researchers tracked a coordinated malvertising campaign abusing Google Ads to impersonate major cryptocurrency platforms like Uniswap, Morpho, and Ledger. The operation uses Google-hosted redirect pages, cloaking, and cloned sites to deploy wallet drainers, seed phrase theft pages, and fake extensions, resulting in at least $1.27 million stolen.