cipherforce

Ransomware group profile

12Victims

VietnamSource country

47Impact score

Description

CipherForce is a financially motivated ransomware group that emerged in February 2026 as part of TeamPCP. Utilizing a dual-track extortion model, the group executes direct attacks on high-value targets while leveraging ransomware-as-a-service for wider campaigns, focusing on double extortion tactics to maximize financial gain.

Key insights

•Operates under multiple aliases including PCPcat and DeadCatx3, linked to TeamPCP.
•Employs supply chain compromises to gain initial access, particularly targeting vulnerabilities in developer environments.
•Utilizes proprietary ransomware with a shared RSA-4096 public key for encryption.
•Involves credential harvesting from GitHub and npm tokens as part of its access strategy.
•Conducts both direct ransomware attacks and broader affiliate campaigns via Vect Ransomware.
•Data is exfiltrated and threatened for public leakage if ransom is not paid, employing a dual extortion model.
•Utilizes a Tor-based data leak site for releasing stolen information.

Industries

Financial Services Government & Defense Manufacturing Other Professional Services Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For cipherforce · Based on incidents in selected period

1threat level

Aggressiveness3/ 10

Lethality0/ 10

Criticality0/ 10

Status Breakdown

Claimed100.0%12

First seenFeb 2026

Last seenMar 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for cipherforce in the selected period

12Total attacks

6peak in Feb

6avg / month

No intelligence data for this group.

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for cipherforce

Other

T1486

T1490

T1078

T1550

T1021

T1562

T1059

T1547

T1046

T1069

T1033

Victims(12)

Company	Domain	Country	Industry	Status	Discovered
BMW Group Internal Documents/Recon	—	—	Manufacturing	Claimed	2 months ago
Sportradar	sportradar.io	US United States	Financial Services	Claimed	2 months ago
Tuna	tuna.uy	UY Uruguay	Financial Services	Claimed	2 months ago
Liberty Tax	—	US United States	Financial Services	Claimed	3 months ago
TCT Broadband Solutions	—	—	Technology	Claimed	3 months ago
Telcom Live Content Inc	—	—	Technology	Claimed	3 months ago
Accuick	accuick.com	US United States	Technology	Claimed	3 months ago
Zip24 - ShipOx	shipox.com	AE United Arab Emirates	Transportation	Claimed	3 months ago
FindNear	findnear.vn	VN Vietnam	Technology	Claimed	3 months ago
tektreeinc.com	tektreeinc.com	IN India	Technology	Claimed	3 months ago
hiringsteps.com	hiringsteps.com	US United States	Professional Services	Claimed	3 months ago
Biaodianyun Group Ltd	—	CN China	Technology	Claimed	3 months ago

Affected countries(13)

Countries where this group has been reported to target or leak victims.

🇦🇪United Arab Emirates 🇦🇺Australia 🇨🇦Canada 🇨🇭Switzerland 🇨🇳China 🇩🇪Germany 🇮🇳India Iran, Islamic Republic of Korea, Republic of 🇷🇸Serbia 🇺🇸United States 🇺🇾Uruguay 🇻🇳Vietnam