Vect 2.0 RaaS Targets Windows, Linux, and ESXi Systems
Key Takeaways Vect 2.0, a new Ransomware-as-a-Service (RaaS) group, has emerged, targeting Windows, Linux, and VMware ESXi systems. The group employs a “triple-threat” model involving...
Key Takeaways
- Vect 2.0, a new Ransomware-as-a-Service (RaaS) group, has emerged, targeting Windows, Linux, and VMware ESXi systems.
- The group employs a “triple-threat” model involving data exfiltration, encryption, and extortion, leveraging a custom C++ codebase for multi-platform attacks.
- Since December 2025, Vect 2.0 has claimed at least 20 victims globally across critical sectors like manufacturing, education, healthcare, and technology.
- Initial access often exploits weak credentials, exposed RDP/VPN, or phishing, followed by lateral movement and evasion techniques like Safe Mode Boot.
- The group operates entirely via TOR, demands Monero for ransom, and offers a waived affiliate fee for CIS countries, suggesting Eastern European origins.
New Vect 2.0 RaaS Emerges, Threatening Windows, Linux, and ESXi Environments
A formidable new player, Vect 2.0, has entered the cybercrime arena, launching a sophisticated Ransomware-as-a-Service (RaaS) operation that poses a significant threat to a broad spectrum of enterprise systems. This group specializes in attacks against Windows, Linux, and VMware ESXi platforms, as detailed in a recent intelligence report.
Table Of Content
The Vect 2.0 operation initiated its activities in December 2025, swiftly escalating its campaigns through February 2026. During this period, the group has publicly claimed responsibility for compromising at least 20 organizations spanning diverse countries and vital industry sectors, according to a comprehensive report.
Evolution of Vect and Triple-Threat Extortion Model
Vect 2.0 represents a significant evolution from its predecessor, the “Vect” operation. This updated iteration is powered by a bespoke C++ codebase, providing enhanced precision and cross-platform compatibility. The group openly advertises a “triple-threat” extortion strategy, encompassing exfiltration, encryption, and ultimately, extortion.
This multi-faceted approach begins with the theft of sensitive organizational data, followed by the encryption of critical systems to render them inaccessible. The final stage involves threatening to publicly release the stolen information unless a ransom payment is made. This layered attack strategy places victim organizations in a precarious situation, grappling with both operational paralysis and the imminent risk of data exposure.
Analysts and researchers at the Data Security Council of India (DSCI) meticulously tracked and identified the Vect 2.0 operation through continuous dark web monitoring and advanced threat intelligence analysis. Their investigation revealed that as of February 28, 2026, the group’s Data Leak Site (DLS) dashboard displayed 20 active victim cases. Of these, six victims had their data publicly leaked, while 14 others remained in ongoing negotiation. To further pressure victims, compromised data was also disseminated across prominent cybercrime forums, including BreachForums.
Geographic and Sectoral Targeting
The ransomware group has concentrated its attacks primarily on Brazil and the United States, each experiencing four reported victims. India follows with three recorded compromises. Other nations affected include South Africa, Egypt, Spain, Colombia, Italy, and Namibia.
The most heavily impacted sectors include manufacturing, education, healthcare, and technology. These industries are particularly attractive targets due to their reliance on continuous operational uptime and their repositories of high-value, sensitive data.
Operational Infrastructure and Attribution Clues
Vect 2.0 maintains its entire operational infrastructure exclusively through TOR hidden services, ensuring a high degree of anonymity. Ransom payments are strictly demanded in Monero (XMR), a cryptocurrency known for its enhanced privacy features, which complicates financial tracing efforts.
Communication between affiliates and operators is conducted using the TOX protocol and a proprietary messaging application dubbed “Vect Secure Chat.” New affiliates are required to pay a $250 USD entry fee in Monero. However, this fee is notably waived for applicants originating from Commonwealth of Independent States (CIS) countries, a detail that strongly suggests the group’s operators are likely based in Russia or Belarus.
Multi-Platform Infection Mechanism and Defense Evasion
Vect 2.0 employs distinct, purpose-built executables tailored to each target platform. For Windows systems, the payload is an executable named “svc_host_update.exe,” designed to mimic legitimate system processes to evade detection. In Linux and VMware ESXi environments, the group deploys a dedicated binary identified as “enc_esxi.elf.” Upon execution, the ransomware encrypts target files and appends the “.vect” extension. Victims are subsequently presented with ransom notes, typically titled “VECT_RECOVERY_GUIDE.txt” or “README_VECT.html,” which provide instructions and a TOR-based link to a negotiation portal.

To circumvent security measures, Vect 2.0 utilizes a Safe Mode Boot technique (MITRE ATT&CK T1562.009). This maneuver forces the compromised system to restart in Safe Mode, a state where many endpoint security solutions are inactive, providing the ransomware an unobstructed window for data encryption. Initial access is commonly achieved through the exploitation of stolen or weak credentials (T1078), publicly exposed RDP or VPN services (T1133), or successful phishing campaigns (T1566).
Following initial compromise, the group executes lateral movement across the network, often leveraging SMB shares and WinRM. It then proceeds to collect data from local systems and shared drives, exfiltrating this sensitive information through TOR-encrypted channels before initiating the final encryption phase.
What You Should Do
- Network Hardening: Block known Vect 2.0 IP addresses, such as 158.94.210.11 (Port 8000), and implement strict outbound TOR traffic restrictions at the network perimeter.
- Detection and Alerting: Configure security monitoring to generate alerts for any suspicious
bcdeditcommand activity or unexpected system reboots into Safe Mode, as these are indicators of evasion tactics. - Access Control: Enforce multi-factor authentication (MFA) across all remote access services, including RDP, VPN, and VMware ESXi interfaces, to prevent unauthorized access via stolen credentials.
- Data Backup Strategy: Adhere to the 3-2-1 backup rule: maintain three copies of your data, store them on two different media, and keep at least one copy offline and offsite to ensure recovery capabilities without succumbing to ransom demands.
- Employee Training: Conduct regular and comprehensive phishing awareness training for all employees to enhance their ability to identify and report malicious emails.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.