{"id":4429,"date":"2026-02-08T11:38:59","date_gmt":"2026-02-08T11:38:59","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/02\/08\/researchers-warn-of-new-vect-raas-variant\/"},"modified":"2026-02-08T11:38:59","modified_gmt":"2026-02-08T11:38:59","slug":"researchers-warn-of-new-vect-raas-variant","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/02\/08\/researchers-warn-of-new-vect-raas-variant\/","title":{"rendered":"Researchers Warn of New \u201cVect\u201d RaaS Variant"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Security researchers have discovered a new ransomware-as-a-service (RaaS) group which has already victimized organizations in Brazil and South Africa.<\/p>\n

Dubbed \u201cVect,\u201d the group is currently onboarding affiliates after launching a recruitment program in December 2025, according to ransomware specialist Halcyon.<\/p>\n

The group has claimed that its malware was built using C++ rather than repurposing leaked source code from the likes of Lockbit 3.0 or Conti, as is more common.<\/p>\n

It uses the ChaCha20-Poly1305 AEAD encryption algorithm, which is said to be two-and-a-half-times faster than AES-256-GCM on systems without hardware acceleration. It is deployed using intermittent encryption techniques, whereby only blocks of data are scrambled for speed.<\/p>\n

\u201cDespite its short lifespan, the group shows unusual maturity, advertising cross-platform ransomware targeting Windows, Linux and VMware ESXi, Safe Mode execution to suppress security tools, and fast intermittent encryption designed for speed and disruption,\u201d Halcyon claimed.<\/p>\n

\u201cVect appears to be in an early validation phase, with two claimed victims in Brazil and South Africa, and is likely testing capabilities ahead of broader expansion.\u201d<\/p>\n

Read more on RaaS: New Chaos Ransomware Emerges, Launches Wave of Attacks.<\/em><\/p>\n

The affiliate revenue-sharing model is apparently a \u201cgenerous\u201d one, with a $250 entry fee waived for applicants inside the Commonwealth of Independent States (CIS) \u2013 hinting at the group\u2019s location.<\/p>\n

The maturity of the operation signals that it\u2019s being run by some experienced RaaS players, claimed a separate analysis by Red Piranha.<\/p>\n

\u201cThe group’s operational security is notable, utilising Monero for payments to maintain financial anonymity, TOX protocol for encrypted peer-to-peer affiliate communications, and exclusively TOR hidden services for infrastructure with no clearnet presence,\u201d Red Piranha explained in a research note.<\/p>\n

\u201cThis combination of custom-built malware, modern encryption, multi-platform capabilities, and strong OPSEC measures suggests Vect is operated by experienced threat actors who may represent a rebrand or new venture by established ransomware affiliates.\u201d<\/p>\n

The vendor added that initial access is likely achieved via exposed RDP\/VPN, stolen credentials, phishing or vulnerability exploitation.<\/p>\n

Vect operates a classic double extortion model, with both of its victims to date apparently being listed on its public-facing leak site.<\/p>\n

Mitigations to Consider<\/h2>\n

Halcyon recommended network defenders observe the following to reduce the risk posed by Vect:<\/p>\n