Warning Over “Industrialized” Cyber-Attacks After Ransomware Gang Partners With TeamPCP

Written by

A ransomware group and a cyber-criminal gang which specializes in stealing credentials through supply chain attacks have teamed up in a move which what has been described by cybersecurity researchers as an “unprecedented model of industrialized ransomware.”

As detailed by Sophos, the collaboration is between the Vect ransomware group and TeamPCP, a group associated with The Com, a collective of English-speaking cyber criminals behind a series of high-profile supply chain attacks.

In a blog post, published on July 2, Sophos warned that the combination of a convergence of TeamPCP’s large-scale supply chain credential theft, which particularly targets developers, alongside Vect’s ransomware-as-a-service service operation represents a “meaningful shift in the ransomware threat landscape”.

The result is that any organization which has had login credentials stolen by TeamPCP could be at additional risk of also falling victim to a ransomware attack by Vect.

Both groups have history of working with other cybercriminal operations. Vect only emerged at the end of 2025, but by early 2026 it had come to an agreement to partner up with BreachForums, the cybercriminal hacking forum. Meanwhile, TeamPCP has previously worked with extortion gangs including the notorious Lapsus$ group.

However, the partnership between TeamPCP and Vect could be particularly potent, given the large number of accounts compromised by TeamPCP. For example, in March 2026, TeamPCP targeted Aqua Security’s Trivy vulnerability scanner, which resulted in the compromise of 10,000 CI and CD workflows and the theft of over 500,000 login credentials, including cloud tokens.

Read More: Why Ransomware Remains One of Cybersecurity’s Most Persistent and Costly Threats

Sophos researchers noted that at least one verified Vect ransomware deployment using TeamPCP-sourced credentials has been confirmed

"Threat groups are increasingly operating like businesses, collaborating to combine respective specialist capabilities and build new attack pipelines. As AI becomes increasingly accessible, we expect the ransomware landscape to industrialise even faster, lowering the barrier to entry by automating much of the work involved in launching attacks," said Rafe Pilling, director of threat intelligence, Sophos X-Ops Counter Threat Unit (CTU)

The research on the cybercriminal partnership was published the same day the FBI issued a FLASH warning about the activity of TeamPCP.

“TeamPCP actors have conducted large-scale software supply chain compromises by targeting widely used developers and security tools, gaining access to victim environments and extracting sensitive data, including but not limited to cloud access tokens, SSH keys, and Kubernetes secrets,” the FBI alert said.

The FBI also detailed some of malware and infostealers known to be associated with TeamPCP campaigns. These include CanisterWorm, Sandclock, the self-replicating worm Mini Shai-Hulud, which targets open source repositories, and Miasma, a variant of Mini Shai-Hulud.

With TeamPCP’s focus on compromising software supply chains, plus the partnership with Vect ransomware group, Sophos warned that it is crucial for organizations to ensure they are as well protected as possible against their combined threat.

"The software development environment has quietly become one of the most consequential and least governed attack surfaces in the enterprise,” said Pilling.

“Organizations must shift to a posture where they are able to quickly assess exposure and respond to supply chain attacks. It’s crucial that they carefully verify the integrity and safety of third-party updates before deploying them across their environment,” he added.

What’s Hot on Infosecurity Magazine?