Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Google Disrupts NetNut Residential Proxy Botnet Exploiting 2 Million Devices
July 3, 2026
AsyncRAT Campaign Leverages ScreenConnect to Evade Detection
July 2, 2026
AsyncRAT Campaign Exploits Cloudflare Tunnels and Python for Malware Delivery
July 2, 2026
Home/Threats/Vect 2.0 RaaS Targets Windows, Linux, and ESXi Systems
Threats

Vect 2.0 RaaS Targets Windows, Linux, and ESXi Systems

Key Takeaways Vect 2.0, a new Ransomware-as-a-Service (RaaS) group, has emerged, targeting Windows, Linux, and VMware ESXi systems. The group employs a “triple-threat” model involving...

Emy Elsamnoudy
Emy Elsamnoudy
April 29, 2026 4 Min Read
45 0

Key Takeaways

  • Vect 2.0, a new Ransomware-as-a-Service (RaaS) group, has emerged, targeting Windows, Linux, and VMware ESXi systems.
  • The group employs a “triple-threat” model involving data exfiltration, encryption, and extortion, leveraging a custom C++ codebase for multi-platform attacks.
  • Since December 2025, Vect 2.0 has claimed at least 20 victims globally across critical sectors like manufacturing, education, healthcare, and technology.
  • Initial access often exploits weak credentials, exposed RDP/VPN, or phishing, followed by lateral movement and evasion techniques like Safe Mode Boot.
  • The group operates entirely via TOR, demands Monero for ransom, and offers a waived affiliate fee for CIS countries, suggesting Eastern European origins.

New Vect 2.0 RaaS Emerges, Threatening Windows, Linux, and ESXi Environments

A formidable new player, Vect 2.0, has entered the cybercrime arena, launching a sophisticated Ransomware-as-a-Service (RaaS) operation that poses a significant threat to a broad spectrum of enterprise systems. This group specializes in attacks against Windows, Linux, and VMware ESXi platforms, as detailed in a recent intelligence report.

Table Of Content

  • Key Takeaways
  • New Vect 2.0 RaaS Emerges, Threatening Windows, Linux, and ESXi Environments
  • Evolution of Vect and Triple-Threat Extortion Model
  • Geographic and Sectoral Targeting
  • Operational Infrastructure and Attribution Clues
  • Multi-Platform Infection Mechanism and Defense Evasion
  • What You Should Do

The Vect 2.0 operation initiated its activities in December 2025, swiftly escalating its campaigns through February 2026. During this period, the group has publicly claimed responsibility for compromising at least 20 organizations spanning diverse countries and vital industry sectors, according to a comprehensive report.

Evolution of Vect and Triple-Threat Extortion Model

Vect 2.0 represents a significant evolution from its predecessor, the “Vect” operation. This updated iteration is powered by a bespoke C++ codebase, providing enhanced precision and cross-platform compatibility. The group openly advertises a “triple-threat” extortion strategy, encompassing exfiltration, encryption, and ultimately, extortion.

This multi-faceted approach begins with the theft of sensitive organizational data, followed by the encryption of critical systems to render them inaccessible. The final stage involves threatening to publicly release the stolen information unless a ransom payment is made. This layered attack strategy places victim organizations in a precarious situation, grappling with both operational paralysis and the imminent risk of data exposure.

Analysts and researchers at the Data Security Council of India (DSCI) meticulously tracked and identified the Vect 2.0 operation through continuous dark web monitoring and advanced threat intelligence analysis. Their investigation revealed that as of February 28, 2026, the group’s Data Leak Site (DLS) dashboard displayed 20 active victim cases. Of these, six victims had their data publicly leaked, while 14 others remained in ongoing negotiation. To further pressure victims, compromised data was also disseminated across prominent cybercrime forums, including BreachForums.

Geographic and Sectoral Targeting

The ransomware group has concentrated its attacks primarily on Brazil and the United States, each experiencing four reported victims. India follows with three recorded compromises. Other nations affected include South Africa, Egypt, Spain, Colombia, Italy, and Namibia.

The most heavily impacted sectors include manufacturing, education, healthcare, and technology. These industries are particularly attractive targets due to their reliance on continuous operational uptime and their repositories of high-value, sensitive data.

Operational Infrastructure and Attribution Clues

Vect 2.0 maintains its entire operational infrastructure exclusively through TOR hidden services, ensuring a high degree of anonymity. Ransom payments are strictly demanded in Monero (XMR), a cryptocurrency known for its enhanced privacy features, which complicates financial tracing efforts.

Communication between affiliates and operators is conducted using the TOX protocol and a proprietary messaging application dubbed “Vect Secure Chat.” New affiliates are required to pay a $250 USD entry fee in Monero. However, this fee is notably waived for applicants originating from Commonwealth of Independent States (CIS) countries, a detail that strongly suggests the group’s operators are likely based in Russia or Belarus.

Multi-Platform Infection Mechanism and Defense Evasion

Vect 2.0 employs distinct, purpose-built executables tailored to each target platform. For Windows systems, the payload is an executable named “svc_host_update.exe,” designed to mimic legitimate system processes to evade detection. In Linux and VMware ESXi environments, the group deploys a dedicated binary identified as “enc_esxi.elf.” Upon execution, the ransomware encrypts target files and appends the “.vect” extension. Victims are subsequently presented with ransom notes, typically titled “VECT_RECOVERY_GUIDE.txt” or “README_VECT.html,” which provide instructions and a TOR-based link to a negotiation portal.

Vect 2.0 Ransom Note (Source - DSCI)
Vect 2.0 Ransom Note (Source – DSCI)

To circumvent security measures, Vect 2.0 utilizes a Safe Mode Boot technique (MITRE ATT&CK T1562.009). This maneuver forces the compromised system to restart in Safe Mode, a state where many endpoint security solutions are inactive, providing the ransomware an unobstructed window for data encryption. Initial access is commonly achieved through the exploitation of stolen or weak credentials (T1078), publicly exposed RDP or VPN services (T1133), or successful phishing campaigns (T1566).

Following initial compromise, the group executes lateral movement across the network, often leveraging SMB shares and WinRM. It then proceeds to collect data from local systems and shared drives, exfiltrating this sensitive information through TOR-encrypted channels before initiating the final encryption phase.

What You Should Do

  • Network Hardening: Block known Vect 2.0 IP addresses, such as 158.94.210.11 (Port 8000), and implement strict outbound TOR traffic restrictions at the network perimeter.
  • Detection and Alerting: Configure security monitoring to generate alerts for any suspicious bcdedit command activity or unexpected system reboots into Safe Mode, as these are indicators of evasion tactics.
  • Access Control: Enforce multi-factor authentication (MFA) across all remote access services, including RDP, VPN, and VMware ESXi interfaces, to prevent unauthorized access via stolen credentials.
  • Data Backup Strategy: Adhere to the 3-2-1 backup rule: maintain three copies of your data, store them on two different media, and keep at least one copy offline and offsite to ensure recovery capabilities without succumbing to ransom demands.
  • Employee Training: Conduct regular and comprehensive phishing awareness training for all employees to enhance their ability to identify and report malicious emails.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

BreachphishingransomwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

VECT 2.0 Ransomware Destroys Files on Windows, Linux, and ESXi

Next Post

Critical Chrome Vulnerabilities Let Attackers Execute Remote Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Ousaban Malware Targets Iberian Banks with Phishing PDFs and VBS Downloader
July 2, 2026
Citrix Bleed (CVE-2023-4966) Critical Vulnerability Actively Exploited
July 2, 2026
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us