TeamPCP Exploits Cloud Misconfigurations in Large-Scale Cybercrime Operation
A threat actor known as TeamPCP (also operating under aliases like PCPcat and ShellForce) is conducting automated, worm-like attacks on misconfigured and exposed cloud management services, compromising at least 60,000 servers worldwide since late December. The group’s campaign primarily targets Azure (60% of attacks), AWS (37%), and Google and Oracle cloud environments, exploiting well-documented vulnerabilities and misconfigurations rather than developing new attack methods.
TeamPCP’s operations involve scanning for exposed Docker APIs, Kubernetes clusters, Ray dashboards, and systems with leaked secrets (such as .env files). Once inside, the group deploys malicious Python and Shell scripts to install proxies, tunneling software, and persistence mechanisms, effectively converting compromised infrastructure into a self-propagating botnet. A key tool in their arsenal is the React2Shell vulnerability (CVE-2025-29927), which allows remote command execution and data exfiltration.
The group monetizes its attacks through multiple revenue streams, including:
- Cryptocurrency mining using hijacked compute resources.
- Data theft and extortion, with stolen records including personal IDs, employment records, and résumés published on a leak site operated by an affiliate, ShellForce.
- Selling access to compromised systems for use as proxies or command-and-control infrastructure.
- Ransomware deployment, leveraging infected systems as launchpads for further attacks.
Notably, TeamPCP has targeted JobsGO, a Vietnamese recruitment platform, exfiltrating over two million records containing sensitive personal and professional data. Most victims are located in South Korea, Canada, the U.S., Serbia, and the UAE, with stolen information often used for phishing, impersonation, or account takeovers.
Despite its sophistication, TeamPCP’s techniques are not novel the group relies on automated exploitation of known vulnerabilities and recycled tooling. Security firm Flare warns that the threat actor’s strength lies in its large-scale automation, turning exposed cloud infrastructure into a distributed criminal ecosystem. The group also maintains a Telegram channel (launched in November, with ~700 members) for updates and reputation-building, though researchers suggest it may have operated under previous aliases.
The campaign underscores the risks of unsecured cloud control planes, leaked credentials, and poor access controls, as TeamPCP continues to industrialize existing attack vectors with alarming efficiency.
Source: https://www.darkreading.com/cloud-security/teampcp-cloud-infrastructure-crime-bots
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
Oracle Cloud cybersecurity rating report: https://www.rankiteo.com/company/oracle-cloud
Microsoft Azure cybersecurity rating report: https://www.rankiteo.com/company/microsoft-azure
"id": "AMAORAMIC1770695748",
"linkid": "amazon-web-services, oracle-cloud, microsoft-azure",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Over two million records '
'exposed',
'industry': 'Human Resources/Recruitment',
'location': 'Vietnam',
'name': 'JobsGO',
'type': 'Recruitment platform'},
{'customers_affected': '60,000+ servers compromised',
'industry': 'Technology/Cloud Computing',
'location': ['South Korea',
'Canada',
'U.S.',
'Serbia',
'UAE'],
'type': 'Cloud service providers'}],
'attack_vector': ['Exposed Docker APIs',
'Kubernetes clusters',
'Ray dashboards',
'Leaked secrets (.env files)',
'React2Shell vulnerability (CVE-2025-29927)'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'Over two million',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personally identifiable and '
'professional information)',
'type_of_data_compromised': ['Personal IDs',
'Employment records',
'Résumés']},
'date_detected': 'late December',
'description': 'A threat actor known as TeamPCP (also operating under aliases '
'like PCPcat and ShellForce) is conducting automated, '
'worm-like attacks on misconfigured and exposed cloud '
'management services, compromising at least 60,000 servers '
'worldwide since late December. The group’s campaign primarily '
'targets Azure (60% of attacks), AWS (37%), and Google and '
'Oracle cloud environments, exploiting well-documented '
'vulnerabilities and misconfigurations. TeamPCP deploys '
'malicious Python and Shell scripts to install proxies, '
'tunneling software, and persistence mechanisms, converting '
'compromised infrastructure into a self-propagating botnet. '
'The group monetizes its attacks through cryptocurrency '
'mining, data theft and extortion, selling access to '
'compromised systems, and ransomware deployment.',
'impact': {'data_compromised': 'Over two million records (personal IDs, '
'employment records, résumés)',
'identity_theft_risk': 'High (personal and professional data used '
'for phishing, impersonation, or account '
'takeovers)',
'operational_impact': 'Compromised infrastructure converted into a '
'botnet for further attacks',
'systems_affected': '60,000+ servers worldwide'},
'initial_access_broker': {'backdoors_established': True,
'data_sold_on_dark_web': True,
'entry_point': ['Exposed Docker APIs',
'Kubernetes clusters',
'Ray dashboards',
'Leaked secrets']},
'lessons_learned': 'The incident underscores the risks of unsecured cloud '
'control planes, leaked credentials, and poor access '
'controls, highlighting the need for robust cloud security '
'practices.',
'motivation': ['Financial gain',
'Data extortion',
'Cryptocurrency mining',
'Selling access to compromised systems'],
'post_incident_analysis': {'root_causes': ['Cloud misconfigurations',
'Exposed management services',
'Leaked credentials']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Secure exposed Docker APIs, Kubernetes clusters, and Ray '
'dashboards',
'Implement strict access controls and secrets management',
'Monitor for leaked credentials and misconfigurations',
'Enhance detection of automated exploitation attempts',
'Segment cloud networks to limit lateral movement'],
'references': [{'source': 'Flare (security firm)'},
{'source': 'TeamPCP Telegram channel'}],
'response': {'third_party_assistance': 'Flare (security firm)'},
'threat_actor': 'TeamPCP (aka PCPcat, ShellForce)',
'title': 'TeamPCP Exploits Cloud Misconfigurations in Large-Scale Cybercrime '
'Operation',
'type': ['Cloud Misconfiguration Exploitation',
'Botnet',
'Data Theft',
'Ransomware'],
'vulnerability_exploited': ['CVE-2025-29927 (React2Shell)',
'Cloud misconfigurations',
'Leaked credentials']}