By rssfeeds-admin 
Emerging in late 2025, Vect 2.0 has distinguished itself with a custom C++ codebase, advanced operational security, and a highly effective triple-extortion model.
Simultaneously, the rise of commercial-grade phishing frameworks like Starkiller is providing cybercriminals with unprecedented capabilities to bypass traditional multi-factor authentication (MFA) and gain initial network access.
Together, these advanced tools represent a significant evolution in the modern cybercrime ecosystem that threatens critical infrastructure worldwide.
Vect 2.0 Tactics and Critical Wiper Flaw
Officially rebranding in early 2026, Vect 2.0 quickly established a dominant presence by targeting the manufacturing, education, healthcare, and technology sectors.
Operating exclusively through TOR hidden services and enforcing Monero payments, the group relies heavily on an “Exfiltration, Encryption, Extortion” business model.
By February 2026, their Data Leak Site had identified 20 active victims, primarily in the United States, Brazil, and India, with an average attack-to-leak delay of 8 days.
Starkiller Framework Bypasses MFA Defenses
While ransomware groups like Vect focus on maximizing post-compromise impact, they heavily rely on stolen credentials for their initial access via remote services. This makes the emergence of the Starkiller phishing framework deeply concerning.
Sold as a Software-as-a-Service (SaaS) by a threat group known as Jinkusu, Starkiller completely bypasses traditional MFA protections using an adversary-in-the-middle (AitM) reverse proxy.
Unlike older phishing kits that use static HTML clones, Starkiller deploys headless browser containers to proxy legitimate login pages in real time.
When a victim clicks a malicious link, they interact with the authentic service. This setup allows the attackers to silently intercept keystrokes, passwords, and active session cookies from a polished control panel.
Operators can monitor live sessions, view victim IP addresses, and inject extra prompts to steal more data.
Once a session token is stolen DSCI, the attacker seamlessly takes over the account. Jinkusu even maintains a community forum offering monthly framework updates and dedicated support, significantly lowering the technical barrier for novice cybercriminals.
Because Starkiller creates dynamic pages for every session, standard domain blocklisting is insufficient.
Security teams must pivot toward identity-aware behavioral analysis, monitoring for unusual login locations and unexpected session token reuse.
As these multifaceted threats evolve, continuous monitoring and robust offline backups, adhering to the strict 3-2-1 rule, are essential for survival.
Initiatives like the Data Security Council of India Threat Intelligence sharing program provide critical weekly updates on dark web activities and malware frameworks.
By staying informed through collaborative threat intelligence, organizations can proactively adapt their defenses against highly destructive operations.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post New Vect 2.0 Ransomware Operation Expands Multi-Platform Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.