Cybersecurity researchers have drawn attention to a “massive campaign” that has systematically targeted cloud-native environments to establish malicious infrastructure for follow-on exploitation.
Specifically, researchers observed the activity around December 25, 2025 and described it as “worm-driven.” The attackers leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell vulnerability (CVE-2025-55182, CVSS score: 10.0). Analysts have attributed the campaign to a threat cluster known as TeamPCP, also tracked as DeadCatx3, PCPcat, PersyPCP, and ShellForce.
TeamPCP’s Emergence and Public Footprint
Notably, TeamPCP has remained active since at least November 2025, with its first recorded Telegram activity dating back to July 30, 2025. At present, the TeamPCP Telegram channel counts more than 700 members, where the group publishes stolen data from victims across Canada, Serbia, South Korea, the U.A.E., and the U.S.
Meanwhile, Beelzebub first documented details of the threat actor in December 2025 under the name Operation PCPcat.
According to Flare, the operation focuses on scale and monetization rather than stealth.
“The operation’s goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency,” Flare security researcher Assaf Morag said in a report published last week.
In practice, TeamPCP functions as a cloud-native cybercrime platform. The group leverages misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications as its primary infection pathways. Through these entry points, the attackers breach modern cloud infrastructure to facilitate data theft and extortion.
In addition to these activities, the attackers actively misuse compromised infrastructure for a broad range of secondary purposes. These include cryptocurrency mining, data hosting, and operating proxy and command-and-control (C2) relays.
Rather than introducing new tradecraft, TeamPCP relies on tried-and-tested attack techniques. The group uses existing tools, known vulnerabilities, and widespread misconfigurations to build an exploitation platform that automates and industrializes the entire process. As a result, the attackers transform exposed infrastructure into what Flare described as a “self-propagating criminal ecosystem.”
Payload Deployment and Lateral Expansion
Once attackers achieve successful exploitation, they deploy next-stage payloads from external servers. These payloads include shell- and Python-based scripts that actively search for new targets to expand the campaign further.
At the center of this activity sits “proxy.sh,” a core component that installs proxy, peer-to-peer (P2P), and tunneling utilities. The script also deploys multiple scanners that continuously search the internet for vulnerable and misconfigured servers.
“Notably, proxy.sh performs environment fingerprinting at execution time,” Morag said. “Early in its runtime, it checks whether it is running inside a Kubernetes cluster.”
“If a Kubernetes environment is detected, the script branches into a separate execution path and drops a cluster-specific secondary payload, indicating that TeamPCP maintains distinct tooling and tradecraft for cloud-native targets rather than relying on generic Linux malware alone.”
Beyond proxy.sh, the operation relies on several specialized payloads, including:
- scanner.py, which identifies misconfigured Docker APIs and Ray dashboards by downloading Classless Inter-Domain Routing (CIDR) lists from a GitHub account named “DeadCatx3,” while also offering options to run a cryptocurrency miner (“mine.sh”).
- kube.py, which provides Kubernetes-specific capabilities to harvest cluster credentials and conduct API-based discovery of resources such as pods and namespaces. The script then drops “proxy.sh” into accessible pods for wider propagation and establishes persistence by deploying a privileged pod on every node that mounts the host.
- react.py, which exploits the React vulnerability (CVE-2025-29927) to achieve remote command execution at scale.
- pcpcat.py, which scans large IP address ranges to identify exposed Docker APIs and Ray dashboards and automatically deploys a malicious container or job that executes a Base64-encoded payload.
In parallel, Flare linked a C2 server located at 67.217.57[.]240 to the operation. Analysts also connected the node to Sliver, an open-source C2 framework frequently abused by threat actors for post-exploitation activity.
Cloud Providers and Why TeamPCP is a Risk
Data from the cybersecurity company indicates that the threat actors primarily target Amazon Web Services (AWS) and Microsoft Azure environments. Analysts assess the attacks as opportunistic, focusing on infrastructure that supports the group’s objectives rather than specific industries. Consequently, organizations running such infrastructure become “collateral victims” of the campaign.
“The PCPcat campaign demonstrates a full lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization built specifically for modern cloud infrastructure,” Morag said. “What makes TeamPCP dangerous is not technical novelty, but their operational integration and scale. Deeper analysis shows that most of their exploits and malware are based on well-known vulnerabilities and lightly modified open-source tools.”
“At the same time, TeamPCP blends infrastructure exploitation with data theft and extortion. Leaked CV databases, identity records, and corporate data are published through ShellForce to fuel ransomware, fraud, and cybercrime reputation building. This hybrid model allows the group to monetize both compute and information, giving it multiple revenue streams and resilience against takedowns.”
Source: TheHackerNews
Read more at Impreza News
