Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 2 actorsExploits 1 CVE

CipherForce

CipherForce is a ransomware operation associated with the financially motivated cybercriminal group TeamPCP. The content describes it as TeamPCP’s proprietary ransomware brand, distinct from the group’s separate partnership with the Vect ransomware ecosystem. TeamPCP publicly indicated via Telegram that CipherForce was a newer project and was seeking affiliates, and reporting assessed that the group was operating two parallel ransomware tracks: direct operations via CipherForce and distributed affiliate activity via Vect. TeamPCP is also tracked under the aliases PCPcat, ShellForce, DeadCatx3, and Persy_PCP, with CipherForce listed as one of its confirmed aliases/operational personas. The broader TeamPCP campaign involved large-scale software supply chain compromises across GitHub Actions, PyPI, npm, Docker Hub/GHCR, and OpenVSX; theft of roughly 300 GB of credentials and data; and subsequent monetization through credential exploitation and ransomware. A shared RSA-4096 public key embedded in payloads is cited as the strongest attribution artifact linking TeamPCP operations, including CipherForce. The available content does not provide high-confidence technical details on CipherForce’s encryption routine, ransom note contents, specific infection vector, or confirmed deployment victims, and one report explicitly states that no confirmed CipherForce deployments had yet been observed during the referenced campaign window.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2026-33634Trivy supply chain compromise via malicious release and retagged GitHub ActionsExploited in the wild

CERT-EU disclosed on April 2-3, 2026 that the European Commission's Europa web hosting platform on AWS was breached through the Trivy supply chain compromise (CVE-2026-33634).

via handlers diary fullisc.sans.edu
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Vect

A note on CipherForce ransomware blog, March 2026

via kelacyberkelacyber.com
TeamPCP

A note on CipherForce ransomware blog, March 2026

via kelacyberkelacyber.com
MITRE ATT&CK

Techniques & procedures

9 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

2 techniques
T1583Acquire InfrastructureEvidence1
TacticResource Development

TeamPCP's own Telegram channel states: "you may already know us as TeamPCP or Shellforce... CipherForce is a newer project we are starting to find affiliates."

T1588Obtain CapabilitiesEvidence1
TacticResource Development

CipherForce is a newer project we are starting to find affiliates... This means TeamPCP is running two parallel ransomware tracks simultaneously: their proprietary CipherForce program for direct operations, and the mass Vect affiliate program via BreachForums for distributed operations.

Initial Access

1 technique
T1133External Remote ServicesEvidence1
TacticsInitial AccessPersistence

The strongest attribution link across all TeamPCP operations is a shared RSA-4096 public key embedded in payloads -- search for this key in forensic artifacts from any suspected TeamPCP exposure.

Persistence

1 technique
T1133External Remote ServicesEvidence1
TacticsInitial AccessPersistence

The strongest attribution link across all TeamPCP operations is a shared RSA-4096 public key embedded in payloads -- search for this key in forensic artifacts from any suspected TeamPCP exposure.

Stealth

1 technique
T1027.014Polymorphic CodeEvidence1
TacticStealth

The strongest attribution link across all TeamPCP operations is a shared RSA-4096 public key embedded in payloads -- search for this key in forensic artifacts from any suspected TeamPCP exposure.

Credential Access

1 technique
T1649Steal or Forge Authentication CertificatesEvidence3
TacticCredential Access

The strongest attribution link across all TeamPCP operations is a shared RSA-4096 public key embedded in payloads -- search for this key in forensic artifacts from any suspected TeamPCP exposure.

Exfiltration

1 technique
T1567.003Exfiltration to Text Storage SitesEvidence1
TacticExfiltration

ShinyHunters published the stolen data on their dark web leak site on March 28

Impact

3 techniques
T1486Data Encrypted for ImpactEvidence8
TacticImpact

New intelligence reveals that Vect is not TeamPCP's only ransomware channel... CipherForce is TeamPCP's own ransomware operation, separate from the Vect partnership. This means TeamPCP is running two parallel ransomware tracks simultaneously.

T1565Data ManipulationEvidence1
TacticImpact

The strongest attribution link across all TeamPCP operations is a shared RSA-4096 public key embedded in payloads -- search for this key in forensic artifacts from any suspected TeamPCP exposure.

T1657Financial TheftEvidence2
TacticImpact

ShinyHunters published the stolen data on their dark web leak site on March 28.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
kelacyberNews
Apr 15, 2026
Is Your Next Vacation a Trap? Inside the...

Referenced as a named ransomware family via its leak/blog site in the context of tracking the VECT-TeamPCP alliance.

Read more
the hacker newsNews
Apr 13, 2026
OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident

A proprietary ransomware operation launched by TeamPCP as part of its monetization efforts following the supply chain compromises.

Read more
socradar blogNews
Apr 9, 2026
Dark Web Profile: TeamPCP

A proprietary ransomware operation run by TeamPCP as part of a dual-track extortion model alongside its supply chain and access-generation activity.

Read more
handlers diary fullNews
Apr 1, 2026
TeamPCP Supply Chain Campaign: Update 005 - First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows

Keywords: ownCloud ... ransomware ... Vect ... CipherForce ... CanisterWorm ...

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping9

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.