Sophos Flags Vect-TeamPCP Cybercriminal Ransomware Alliance

As big tech and businesses pool their resources for better outcomes, it shouldn’t come as a surprise that organised cybercriminal gangs that are increasingly operating like modern businesses are banking on partnerships too.
Research from the Sophos X-Ops Counter Threat Unit (CTU) has uncovered a new partnership between ransomware group Vect and cybercriminal outfit TeamPCP, heralding a major evolution in the cybercrime landscape.
Stacking their collective criminal expertise, the collaboration combines TeamPCP's capabilities in credential theft and supply chain compromise with Vect's ransomware-as-a-service (RaaS) infrastructure to create a highly efficient cyberattack pipeline.
The alliance is already proving effective, with Sophos confirming at least one ransomware deployment in which Vect used credentials stolen by TeamPCP.
Researchers warn that this emerging model could significantly lower the barrier to entry for cybercriminals while accelerating the scale and sophistication of ransomware campaigns.
Vect and TeamPCP combine specialist cybercrime capabilities
Vect is a relatively new ransomware-as-a-service operation (RaaS) that first emerged on 31 December 2025 before claiming its first victims in January of 2026.
Despite its novelty, the group has quickly established trust and places itself as a collaborative player within the cybercriminal ecosystem.
In March 2026, Vect announced a partnership with BreachForums, declaring its ambition to create something that “the entire ransomware ecosystem will remember for years.”
TeamPCP – also known as PCPcat, ShellForce and DeadCatx3 – is believed to consist of individuals previously associated with The Com, a loosely connected network of predominantly English-speaking cybercriminals.
With many high-profile supply chain attacks under its belt that took place between March and May 2026, including the Trivy, Checkmarx and Telnyx compromise, where TeamPCP compromised trusted software and harvested valuable credentials, they also partnered with established extortion groups, including Lapsus$, to monetise the stolen data.
The latest partnership with Vect represents another step in TeamPCP's strategy of collaborating with ransomware operators that can exploit the information it steals.
Supply chain attacks become a direct route to ransomware
Instead of carrying out every stage of an operation by themselves, crime groups are playing on their individual strengths and combining resources to maximise impact.
Threat groups are increasingly operating like businesses, collaborating to combine respective specialist capabilities and build new attack pipelines
Researchers found that TeamPCP has repeatedly compromised trusted open-source development tools, allowing attackers to harvest credentials on a large scale.
Those stolen credentials are then passed to ransomware operators such as Vect, enabling rapid deployment of ransomware against compromised organisations.
The fact that Sophos has already verified a successful ransomware attack using TeamPCP-sourced credentials confirms that this attack pipeline is no longer theoretical but actively being used by threat actors.
This highly industrialised approach enables cybercriminals with fewer technical skills to launch sophisticated attacks by leveraging established ransomware infrastructure and stolen access credentials.
Accelerating ransomware operations
Sophos believes the Vect and TeamPCP partnership reflects a wider trend in which cybercriminal organisations increasingly resemble legitimate businesses by outsourcing specialist functions and forming strategic alliances.
“Threat groups are increasingly operating like businesses, collaborating to combine respective specialist capabilities and build new attack pipelines,” says Rafe Pilling, Director of Threat Intelligence at Sophos.
“As AI becomes increasingly accessible, we expect the ransomware landscape to industrialise even faster, lowering the barrier to entry by automating much of the work involved in launching attacks.
“The software development environment has quietly become one of the most consequential and least governed attack surfaces in the enterprise.
“Organisations must shift to a posture where they are able to quickly assess exposure and respond to supply chain attacks. It’s crucial that they carefully verify the integrity and safety of third-party updates before deploying them across their environment.”
With attackers exploiting trusted development environments and collaborating more effectively than ever, businesses are being urged to strengthen their ability to detect compromised software, assess exposure quickly and validate third-party updates before deployment.
- JadePuffer: Sysdig Sniffs Out the First Agentic RansomwareHacking & Malware
- Cisco Research Stresses AI's Enterprise Networking ChallengeNetwork Security
- Bear Necessities: Google on The Russian Sphere of InfluenceCyber Security
- How Apple Bets on Early Updates To Ease AI Cyber ConcernsCyber Security





