{ "Event": { "analysis": "1", "date": "2026-04-30", "extends_uuid": "", "info": "[Threat Intel] Inside Vect Ransomware-as-a-Service", "protected": false, "publish_timestamp": "1779546283", "published": true, "threat_level_id": "2", "timestamp": "1779546283", "uuid": "740fc6ff-2085-4925-baee-289f81603969", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#b2a633", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Stop - T1489\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Archive Collected Data - T1560\"", "relationship_type": "" }, { "colour": "#5affe5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1021.006\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Permissions Modification - T1222\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#b596f0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Lateral Tool Transfer - T1570\"", "relationship_type": "" }, { "colour": "#16ca73", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Location Discovery - T1614\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#9fcb73", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Firmware Corruption - T1495\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Shutdown/Reboot - T1529\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"vect\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777950025", "to_ids": false, "type": "link", "uuid": "4802183e-4170-4d07-aa51-4f14ae03770f", "value": "https://www.levelblue.com/blogs/spiderlabs-blog/inside-vect-ransomware-as-a-service", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777950025", "to_ids": false, "type": "text", "uuid": "a556637c-1237-4aaa-8e17-19d291f22539", "value": "Vect ransomware emerged in January 2026 as a new threat actor operating a Ransomware-as-a-Service program with strategic partnerships that significantly expand its reach. The group has partnered with TeamPCP, known for supply chain attacks compromising security tools like Trivy, KICS, and LiteLLM, and BreachForums, distributing affiliate keys to forum members. With 25 published victims primarily targeting the United States and Technology sector, Vect maintains an open affiliate program requiring only a $250 invite code. The operation offers multi-platform ransomware payloads for Windows, Linux, and ESXi with sophisticated lateral movement capabilities and tiered commission structures reaching 89% for top affiliates. Analysis reveals connections to the defunct Devman ransomware through shared code strings and ransom note similarities, suggesting possible rebranding or code reuse." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777950025", "to_ids": false, "type": "text", "uuid": "a61500b0-fe9e-468d-94bf-20c45ab3b8fc", "value": "Name: Inside Vect Ransomware-as-a-Service\nAuthor: AlienVault\nAdversary: Vect\nTags: [\"breachforums\", \"supply chain attacks\", \"ransomware-as-a-service\", \"vect\", \"teampcp\"]\nTgtd countries: [\"United States of America\"]\nMlwr families: [\"Vect\", \"Devman\"]\nAttack_ids: [\"T1053.005\", \"T1489\", \"T1082\", \"T1106\", \"T1021.002\", \"T1560\", \"T1021.006\", \"T1222\", \"T1083\", \"T1059.001\", \"T1078\", \"T1027\", \"T1486\", \"T1570\", \"T1614\", \"T1021.001\", \"T1495\", \"T1490\", \"T1529\"]\nIndustries: [\"Technology\", \"Healthcare\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1778204290", "to_ids": false, "type": "threat-actor", "uuid": "87c2504d-f3d4-4df9-bcc0-0f23cd0f6424", "value": "Vect", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"vect\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546278", "to_ids": true, "type": "sha1", "uuid": "ffe07bff-014a-4887-8008-592072d54820", "value": "9e18315690f148e1aa39facc39de913266bdcc13", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546279", "to_ids": true, "type": "sha1", "uuid": "dca82566-4c5b-4bf3-8b8f-38afc1a4d34f", "value": "f5287a33a806b8de0d62ac24edead4dcb9f60c2a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546281", "to_ids": true, "type": "sha1", "uuid": "53fab870-93de-43b0-91ed-3dfa762329ef", "value": "69aa94434f545b41198b7d21f9acc71457584e62", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546283", "to_ids": true, "type": "sha1", "uuid": "cc39b773-c1a1-4a3a-99cd-3fe69889d311", "value": "488ed9ff65652a738042d93678591a579714a791", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546273", "uuid": "2d253cd8-391c-4367-9c87-0ca1b2d78455", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546272", "to_ids": true, "type": "md5", "uuid": "b663ae5e-4cf7-4136-9132-9d9601973cd6", "value": "207b1a60f803d348c795d382f5aed9c3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546273", "to_ids": true, "type": "sha1", "uuid": "6a498e72-e303-4b1e-bfae-b29716048e66", "value": "f4b904fb6ba8474cb87f26302b74c4b82c106003", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546273", "to_ids": true, "type": "sha256", "uuid": "95f2b774-8279-41bd-8448-5028b863d4ba", "value": "8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778206496", "to_ids": true, "type": "ssdeep", "uuid": "b996fd51-1016-4ec9-b55b-0d183d4e585c", "value": "24576:1MSdEmDpXzQqjBJv1ZULIOnwAzWLsuyg13TCGjhHRCRfJ+lCy:1MSdXDpXzNjBJvgLIOnwAzUFRhHRWf2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778206496", "to_ids": false, "type": "size-in-bytes", "uuid": "a9bc50d4-af3b-4f1f-8c1f-42c689d6b979", "value": "1453056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778206496", "to_ids": true, "type": "vhash", "uuid": "36034112-eb8a-4f1b-abdf-7667e26bbe3a", "value": "0160a76d1565555c0d1d10c5zc00715d037z19z55z37z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778206496", "to_ids": true, "type": "filename", "uuid": "23ce962e-acc8-43ef-af39-36fa9c2a858c", "value": "8ee4ec425bc0d8db050d13bbff98f483fff020050d49f40c5055ca2b9f6b1c4d.exe" }, { "category": "Other", "comment": "Checked: 08/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778206496", "to_ids": false, "type": "text", "uuid": "ab7cef78-35bd-4e79-a741-79e1867cf3a7", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Avaddon.P!MSR\nVT Total Detection:53/71\nFirst Submission:2026-02-13T14:48:50.000000+00:00\nLast Submission:2026-05-05T21:40:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546276", "uuid": "d3471256-784d-4c8e-a039-84c1fba8c868", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546275", "to_ids": true, "type": "md5", "uuid": "6b871ce4-54e3-4752-8ca9-9e9dea92a4cc", "value": "aa72609186042f1d7d01ce070306a9f2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546275", "to_ids": true, "type": "sha1", "uuid": "6b943de6-20c5-464a-b627-c02e3588fea5", "value": "e27f4feffc1ba6bf4e35aec4a5270fccb636e5cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546276", "to_ids": true, "type": "sha256", "uuid": "cef325fc-183a-4e81-9c6d-fced2b5e79d5", "value": "e512d22d2bd989f35ebaccb63615434870dc0642b0f60e6d4bda0bb89adee27a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778206518", "to_ids": true, "type": "ssdeep", "uuid": "592488b2-921a-4889-b120-97b2d8accae6", "value": "24576:kMSdEmDpXzQqjBJv1ZULIOnwAzWLsuyg13TCGjsHRCRfJ+lCy:kMSdXDpXzNjBJvgLIOnwAzUFRsHRWf2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778206518", "to_ids": false, "type": "size-in-bytes", "uuid": "6eb1a406-e32a-4bb8-b1bc-7a3b3446bd0a", "value": "1453056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778206518", "to_ids": true, "type": "vhash", "uuid": "b1524c88-3ce2-4495-b24e-ad2ab0d63801", "value": "0160a76d1565555c0d1d10c5zc00715d037z19z55z37z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778206518", "to_ids": true, "type": "filename", "uuid": "66b1fb28-7076-4b61-bf3b-ad57d8315872", "value": "dp6fd66.exe" }, { "category": "Other", "comment": "Checked: 08/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778206518", "to_ids": false, "type": "text", "uuid": "f1ed709b-15aa-409b-8c13-ccd86ac020ad", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win32/Avaddon.P!MSR\nVT Total Detection:54/70\nFirst Submission:2026-03-26T15:48:41.000000+00:00\nLast Submission:2026-03-26T15:48:41.000000+00:00" } ] } ] } }