TeamPCP Launches Large-Scale Cloud-Native Cybercrime Campaign
Cybersecurity researchers have uncovered a worm-driven campaign orchestrated by the threat group TeamPCP (also known as DeadCatx3, PCPcat, PersyPCP, and ShellForce), which has systematically targeted cloud-native environments to establish malicious infrastructure for follow-on exploitation. The operation, active since at least November 2025, was first observed around December 25, 2025, and leverages exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0).
TeamPCP operates as a cloud-native cybercrime platform, exploiting misconfigurations and known vulnerabilities to breach modern cloud infrastructure. The group’s activities were first documented in December 2025 under Operation PCPcat, with its Telegram channel active since July 30, 2025 now hosting over 700 members and publishing stolen data from victims in Canada, Serbia, South Korea, the U.A.E., and the U.S.
The campaign’s objectives include building a distributed proxy and scanning infrastructure, compromising servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. Rather than employing novel techniques, TeamPCP relies on automated, industrialized exploitation of well-known vulnerabilities and misconfigurations, transforming compromised infrastructure into a self-propagating criminal ecosystem.
Key components of the attack include:
- proxy.sh: Installs proxy, P2P, and tunneling utilities, along with scanners to identify vulnerable servers. It performs environment fingerprinting, branching into Kubernetes-specific execution paths if detected.
- scanner.py: Scans for misconfigured Docker APIs and Ray dashboards using CIDR lists from a GitHub account (DeadCatx3), with options to deploy a cryptocurrency miner (mine.sh).
- kube.py: Harvests Kubernetes cluster credentials, discovers resources, and propagates proxy.sh across pods while establishing persistent backdoors via privileged pods.
- react.py: Exploits CVE-2025-29927 in React applications for remote command execution.
- pcpcat.py: Automates the discovery of exposed Docker APIs and Ray dashboards, deploying malicious containers with Base64-encoded payloads.
The campaign’s command-and-control (C2) server (67.217.57[.]240) has been linked to Sliver, an open-source C2 framework frequently abused by threat actors. Targets are primarily AWS and Microsoft Azure environments, with attacks being opportunistic rather than industry-specific, making organizations running such infrastructure collateral victims.
TeamPCP’s hybrid monetization model combines infrastructure exploitation, data theft, and extortion, with stolen data including CV databases, identity records, and corporate files published via ShellForce to fuel ransomware, fraud, and cybercrime reputation-building. The group’s reliance on modified open-source tools and known vulnerabilities underscores its focus on scale and operational integration rather than technical innovation.
Source: https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html
Dawson James Securities, Inc. cybersecurity rating report: https://www.rankiteo.com/company/dawson-james-securities
"id": "DAW1770631199",
"linkid": "dawson-james-securities",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['Canada',
'Serbia',
'South Korea',
'U.A.E.',
'U.S.'],
'type': 'organizations'}],
'attack_vector': ['exposed Docker APIs',
'Kubernetes clusters',
'Ray dashboards',
'Redis servers',
'React2Shell vulnerability (CVE-2025-55182)'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['CV databases',
'identity records',
'corporate files']},
'date_detected': '2025-12-25',
'description': 'Cybersecurity researchers have uncovered a worm-driven '
'campaign orchestrated by the threat group TeamPCP (also known '
'as DeadCatx3, PCPcat, PersyPCP, and ShellForce), which has '
'systematically targeted cloud-native environments to '
'establish malicious infrastructure for follow-on '
'exploitation. The operation leverages exposed Docker APIs, '
'Kubernetes clusters, Ray dashboards, Redis servers, and the '
'critical React2Shell vulnerability (CVE-2025-55182, CVSS '
'10.0). The group’s activities include building a distributed '
'proxy and scanning infrastructure, compromising servers for '
'data exfiltration, ransomware deployment, extortion, and '
'cryptocurrency mining.',
'impact': {'data_compromised': ['CV databases',
'identity records',
'corporate files'],
'identity_theft_risk': 'high',
'operational_impact': 'compromised infrastructure for follow-on '
'exploitation',
'systems_affected': ['cloud-native environments',
'AWS environments',
'Microsoft Azure environments']},
'initial_access_broker': {'backdoors_established': True,
'data_sold_on_dark_web': True,
'entry_point': ['exposed Docker APIs',
'Kubernetes clusters',
'Ray dashboards',
'Redis servers']},
'motivation': ['data exfiltration',
'ransomware deployment',
'extortion',
'cryptocurrency mining',
'infrastructure exploitation'],
'post_incident_analysis': {'root_causes': ['misconfigurations',
'known vulnerabilities']},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'GitHub account (DeadCatx3)'},
{'source': 'TeamPCP Telegram channel'}],
'threat_actor': 'TeamPCP (DeadCatx3, PCPcat, PersyPCP, ShellForce)',
'title': 'TeamPCP Launches Large-Scale Cloud-Native Cybercrime Campaign',
'type': ['worm-driven campaign', 'cybercrime platform'],
'vulnerability_exploited': ['CVE-2025-55182 (CVSS 10.0)',
'CVE-2025-29927',
'misconfigurations']}