Ransomware groups Vect and TeamPCP are now working together in a widespread campaign involving supply chain attacks and the extortion of multiple organizations.
The tie-up, which the two announced in March, sees TeamPCP’s credential harvesting and data theft capabilities combined with Vect’s ransomware deployment infrastructure.
According to Sophos, this alliance represents a huge shift in the ransomware threat landscape.
The convergence of supply chain credential theft, a maturing RaaS operation, and mass underground forum mobilization constitutes an “unprecedented” model of industrialized ransomware deployment.
Crucially, the collaboration has the potential to significantly lower the barrier to entry for up-and-coming cyber criminals.
“Threat groups are increasingly operating like businesses, collaborating to combine respective specialist capabilities and build new attack pipelines,” said Rafe Pilling, director of threat intelligence at Sophos.
“As AI becomes increasingly accessible, we expect the ransomware landscape to industrialize even faster, lowering the barrier to entry by automating much of the work involved in launching attacks.”
The Vect ransomware as a service (RaaS) operation first appeared at the end of 2025, going on to claim its first victims a month later. It’s already shown it’s a team player, announcing a partnership with BreachForums in March this year.
“Together, we are going to build something huge. Something that the entire ransomware ecosystem will remember for years,” the group said at the time.
TeamPCP, meanwhile, appears to be an offshoot of The Com, a global confederation of primarily English-speaking cyber criminals.
Between March and May this year, the group carried out a series of high-profile supply chain attacks, including one on Trivy, an open source vulnerability scanner that is made by Aqua Security.
The group has since partnered with other established extortion groups – including Lapsus$ – to monetize the stolen data.
Sophos said Team PCP has demonstrated the ability to repeatedly compromise trusted open source tooling, with at least one verified Vect ransomware deployment using TeamPCP-sourced credentials.
This, the company said, shows that the pipeline from supply chain compromise to ransomware execution is already in operation.
Remaining vigilant
Organizations that use open source tools in their development workflows should maintain an up-to-date inventory to enable a prompt assessment of potential impact when a supply chain compromise is announced, according to Sophos.
This will help facilitate a quick response to mitigate potential risks.
Similarly, because third-party software updates could be an attack vector, enterprises are advised to verify the integrity of updates before deploying them across environments.
“The software development environment has quietly become one of the most consequential and least governed attack surfaces in the enterprise,” said Pilling.
“Organizations must shift to a posture where they are able to quickly assess exposure and respond to supply chain attacks. It’s crucial that they carefully verify the integrity and safety of third-party updates before deploying them across their environment.”
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Click Here For The Original Source.
