Ransomware Gang Launches Industrialized Cyber-Attacks

▼ Summary
– The Vect ransomware group and TeamPCP, a credential-theft gang, have partnered in what Sophos calls an “unprecedented model of industrialized ransomware.”
– TeamPCP specializes in large-scale supply chain credential theft targeting developers, while Vect operates a ransomware-as-a-service operation.
– Organizations whose credentials were stolen by TeamPCP face increased risk of ransomware attacks from Vect, with at least one verified deployment using TeamPCP-sourced credentials.
– In March 2026, TeamPCP compromised Aqua Security’s Trivy scanner, stealing over 500,000 login credentials from 10,000 CI/CD workflows.
– The FBI issued a FLASH warning about TeamPCP, detailing their use of malware like CanisterWorm and Mini Shai-Hulud to target software supply chains.
A ransomware operation and a cyber-criminal group that specializes in stealing credentials through supply chain attacks have joined forces, a collaboration cybersecurity researchers describe as an “unprecedented model of industrialized ransomware.”
According to Sophos, the partnership unites the Vect ransomware group with TeamPCP, a collective linked to The Com , an English-speaking cyber-criminal network responsible for several high-profile supply chain breaches.
In a July 2 blog post, Sophos warned that combining TeamPCP’s large-scale credential theft, which specifically targets developers, with Vect’s ransomware-as-a-service (RaaS) operation marks a “meaningful shift in the ransomware threat landscape.” The result is that any organization whose login credentials were stolen by TeamPCP now faces an elevated risk of a subsequent ransomware attack from Vect.
Both groups have prior experience working with other cyber-criminal enterprises. Vect first appeared in late 2025 but by early 2026 had struck a deal with BreachForums, a prominent hacking forum. TeamPCP, meanwhile, has previously collaborated with extortion gangs such as the infamous Lapsus$ group.
The TeamPCP and Vect alliance could prove especially dangerous given the sheer volume of accounts TeamPCP has compromised. In March 2026, for example, TeamPCP targeted Aqua Security’s Trivy vulnerability scanner, compromising 10,000 CI/CD workflows and stealing more than 500,000 login credentials, including cloud tokens.
Sophos researchers confirmed at least one verified Vect ransomware deployment that used credentials sourced from TeamPCP.
“Threat groups are increasingly operating like businesses, collaborating to combine respective specialist capabilities and build new attack pipelines,” said Rafe Pilling, director of threat intelligence at Sophos X-Ops Counter Threat Unit (CTU). “As AI becomes increasingly accessible, we expect the ransomware landscape to industrialise even faster, lowering the barrier to entry by automating much of the work involved in launching attacks.”
The research on this cyber-criminal partnership was published the same day the FBI issued a FLASH warning about TeamPCP’s activities.
“TeamPCP actors have conducted large-scale software supply chain compromises by targeting widely used developers and security tools, gaining access to victim environments and extracting sensitive data, including but not limited to cloud access tokens, SSH keys, and Kubernetes secrets,” the FBI alert stated.
The FBI also detailed malware and infostealers linked to TeamPCP campaigns, including CanisterWorm, Sandclock, the self-replicating worm Mini Shai-Hulud , which targets open source repositories , and Miasma, a variant of Mini Shai-Hulud.
Given TeamPCP’s focus on compromising software supply chains and its new alliance with the Vect ransomware group, Sophos stressed that organizations must strengthen their defenses against this combined threat.
“The software development environment has quietly become one of the most consequential and least governed attack surfaces in the enterprise,” said Pilling. “Organizations must shift to a posture where they are able to quickly assess exposure and respond to supply chain attacks. It’s crucial that they carefully verify the integrity and safety of third-party updates before deploying them across their environment.”
(Source: Infosecurity Magazine)




