A sophisticated and “worm-driven” cyberattack campaign, attributed to the notorious threat cluster TeamPCP, is systematically targeting cloud-native environments to establish a vast criminal infrastructure. Uncovered around December 25, 2025, this operation leverages a blend of exposed APIs, misconfigurations, and critical vulnerabilities to create a self-propagating ecosystem for illicit activities, posing a significant threat to organizations globally.
TeamPCP’s Rise: From Telegram to Global Threat
Known by various aliases including DeadCatx3, PCPcat, PersyPCP, and ShellForce, TeamPCP has been active since at least November 2025, with their presence on Telegram dating back to July 30, 2025. Their Telegram channel, boasting over 700 members, serves as a platform for publishing stolen data from victims spanning Canada, Serbia, South Korea, the U.A.E., and the U.S. Cybersecurity firm Flare, building on earlier documentation by Beelzebub (Operation PCPcat), has shed light on the group’s ambitious goals: to construct a distributed proxy and scanning network, compromise servers for data exfiltration, deploy ransomware, conduct extortion, and mine cryptocurrency.
The Worm’s Reach: Exploiting Cloud Vulnerabilities
TeamPCP operates as a cloud-native cybercrime platform, meticulously exploiting common weaknesses in modern infrastructure. Their primary infection pathways include:
- Exposed Docker APIs
- Misconfigured Kubernetes clusters
- Vulnerable Ray dashboards
- Insecure Redis servers
- The recently disclosed React2Shell vulnerability (CVE-2025-55182, CVSS score: 10.0) and another React flaw (CVE-2025-29927)
Once breached, the compromised infrastructure isn’t just used for initial data theft or extortion. It’s repurposed for a myriad of other criminal endeavors, from cryptocurrency mining and data hosting to functioning as proxy and command-and-control (C2) relays, effectively turning legitimate cloud resources into components of their illicit network.
Industrialized Cybercrime: TeamPCP’s Strategic Approach
What makes TeamPCP particularly dangerous isn’t a reliance on groundbreaking new exploits, but rather their masterful integration and industrialization of existing attack techniques. By automating the exploitation process using tried-and-tested tools, known vulnerabilities, and prevalent misconfigurations, they transform exposed infrastructure into a “self-propagating criminal ecosystem,” as noted by Flare researchers. This systematic approach allows them to operate at an unprecedented scale, turning every successful breach into a stepping stone for further expansion.
A Toolkit for Domination: Key Payloads Unpacked
Successful exploitation leads to the deployment of sophisticated next-stage payloads designed for persistence, propagation, and monetization. These include shell- and Python-based scripts:
proxy.sh: A core component that installs proxy, peer-to-peer (P2P), and tunneling utilities. Crucially, it performs environment fingerprinting, checking for Kubernetes environments and deploying cluster-specific payloads if detected, demonstrating TeamPCP’s tailored approach to cloud-native targets.scanner.py: Designed to discover misconfigured Docker APIs and Ray dashboards by leveraging CIDR lists from a GitHub account linked to “DeadCatx3.” It also includes functionality for cryptocurrency mining viamine.sh.kube.py: Focuses on Kubernetes, harvesting cluster credentials, discovering resources like pods and namespaces, and then droppingproxy.shinto accessible pods for wider propagation. It also establishes persistence by deploying a privileged pod on every node.react.py: Specifically crafted to exploit the React flaw (CVE-2025-29927) for large-scale remote command execution.pcpcat.py: Automates the discovery of exposed Docker APIs and Ray dashboards across vast IP ranges, deploying malicious containers or jobs with Base64-encoded payloads.
Flare also identified a C2 server node (67.217.57[.]240) linked to the operation of Sliver, an open-source C2 framework often abused for post-exploitation activities.
Global Impact and Opportunistic Targets
While TeamPCP’s attacks are primarily opportunistic, targeting infrastructure that aligns with their goals rather than specific industries, their impact is widespread. Data indicates a strong focus on Amazon Web Services (AWS) and Microsoft Azure environments. Organizations running such infrastructure often become “collateral victims,” their resources unwittingly conscripted into TeamPCP’s burgeoning criminal enterprise.
As Flare security researcher Assaf Morag aptly summarizes, “The PCPcat campaign demonstrates a full lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization built specifically for modern cloud infrastructure. What makes TeamPCP dangerous is not technical novelty, but their operational integration and scale.” This sophisticated, automated approach to cybercrime underscores the critical need for robust cloud security practices and continuous vigilance against evolving threats.
For more details, visit our website.
Source: Link
Leave a comment