DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL — 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL — 🚨 ServiceNow discloses June 5 security update tied to anomalous activity — KB3067321.… /// @MsftSecIntel CRITICAL — MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL — ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL — The '340M OnlyFans' listing on the leak forum is a compiled corpus — seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/THREAT ACTORS/VECT
TLP:WHITETHREAT ACTOR DOSSIER // VECT-RAASFIRST SEEN: DEC 2025

VECT

ALSO KNOWN AS: None confirmed
FROM:DMZ INTELLIGENCE DESK
ORIGIN:CIS-region suspected (waived entry fee for CIS applicants; Monero payments; TOR-only infrastructure)
ATTRIBUTION:ORGANIZED CRIME
STATUS:ACTIVE
FIRST OBSERVED:DEC 2025
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL66/100
RESOURCES66/100
PERSISTENCE69/100
STEALTH61/100
IMPACT75/100

SUBJECT PROFILE

Vect is a newly emerged RaaS operation identified by Halcyon and analyzed by Red Piranha, notable for building its encryptor in C++ from scratch (not repurposing LockBit 3.0 or Conti leaked code) and using ChaCha20-Poly1305 AEAD encryption — 2.5x faster than AES-256-GCM on non-accelerated hardware. The group demonstrates unusual operational maturity for its age: cross-platform targeting of Windows, Linux, and VMware ESXi; Safe Mode execution to suppress security tools; Monero-only payments; TOX protocol for affiliate communications; and exclusively TOR hidden services with no clearnet presence. Analysts from Red Piranha assess Vect is likely a rebrand or new venture by experienced RaaS operators, given the sophistication of its initial launch.

Financial — ransomware extortion with cross-platform custom malware and high-OPSEC affiliate program

OPERATIONAL HISTORY

T1486 (Data Encrypted for Impact — ChaCha20-Poly1305 with intermittent encryption), T1562 (Impair Defenses — Safe Mode execution to suppress EDR), T1071 (C2 over TOX protocol for encrypted P2P affiliate comms), T1041 (Exfiltration over C2 — double extortion), T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts for initial access)

MANUFACTURING
PROFESSIONAL SERVICES
GOVERNMENT
EDUCATION

KNOWN INFRASTRUCTURE

Tor-only hidden services (no clearnet presence); Monero cryptocurrency for all payments; TOX protocol for encrypted affiliate-to-operator communications; custom C++ encryptor (ChaCha20-Poly1305 AEAD); web-based affiliate panel; dedicated leak site (TOR); affiliate program with $250 entry fee (waived for CIS applicants)

ATTRIBUTED CAMPAIGNS

FILE DATE: DEC 2025
Affiliate Program Launch & Initial Victim Claims
Vect launched its affiliate recruitment program in December 2025 and quickly claimed victims in Brazil and South Africa, demonstrating multi-continent targeting scope despite being newly established.
FILE DATE: APR 2026
Expanded Operations
By April 2026, Vect's cross-platform capabilities (Windows/Linux/ESXi) and high-OPSEC infrastructure attracted ██████████████████████ flagged the operation as a likely rebrand of an established RaaS group given the technical sophistication present from day one.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn