TeamPCP Launches Large-Scale Cloud Exploitation Campaign Targeting Misconfigured Infrastructure
A threat group tracked as TeamPCP (also known as PCPcat, ShellForce, and DeadCatx3) has orchestrated a widespread cloud exploitation campaign, converting vulnerable cloud infrastructure into a self-propagating cybercrime platform. Active since late 2025, the group focuses on exposed cloud control planes rather than traditional endpoint malware, leveraging weak configurations and publicly accessible management interfaces for initial access.
The campaign peaked around December 25, 2025, with hundreds of compromised servers running attacker-controlled containers. Researchers identified at least 185 confirmed Docker compromises in one phase, though the true scale is likely far larger. Targets include exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and applications vulnerable to React2Shell (CVE-2025-29927).
Automated Worm-Like Propagation
At the core of the operation is proxy.sh, a script that deploys tunneling tools (FRPS, gost), scanners, and persistence mechanisms. If running inside Kubernetes, it executes kube.py, which enumerates cluster resources, harvests credentials, and spreads laterally via privileged DaemonSets that mount host filesystems. Another module, react.py, exploits React2Shell vulnerabilities in Next.js applications, extracting environment variables, cloud credentials, SSH keys, and Git tokens before exfiltrating data to attacker-controlled servers.
A high-volume scanner, pcpcat.py, pulls CIDR ranges from public cloud providers and automatically deploys malicious containers on exposed Docker and Ray APIs, creating a worm-like feedback loop where each infected system becomes a new propagation node.
Hybrid Monetization: Mining, Proxies, and Data Theft
TeamPCP repurposes compromised servers for multiple revenue streams:
- Cryptomining (XMRig, often obfuscated with double base64 encoding)
- Proxy and tunneling infrastructure
- C2 relays and internet scanning platforms
- Data theft staging servers
While mining revenue appears modest, the group has leaked sensitive data, including 2.3 million job applicant records from a recruitment platform, containing names, birthdates, employment histories, and contact details.
Cloud-First Targeting Strategy
Most compromised infrastructure is hosted on public cloud providers, with Azure accounting for 61% of observed victims and AWS 36%. The campaign demonstrates the industrialization of known weaknesses abusing exposed Docker, Kubernetes, and Redis services rather than relying on novel exploits.
Defensive measures against such attacks include restricting public access to management APIs, enforcing authentication, preventing privileged containers, and monitoring for unauthorized DaemonSets and job submissions.
Source: https://cyberpress.org/teampcp-automates-cloud-exploits/
Microsoft Security cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security
Pacific Coast Producers cybersecurity rating report: https://www.rankiteo.com/company/pacific-coast-producers
"id": "MICPAC1770804753",
"linkid": "microsoft-security, pacific-coast-producers",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': '2.3 million job applicants',
'type': 'Cloud Infrastructure'}],
'attack_vector': ['Exposed Docker APIs',
'Kubernetes clusters',
'Ray dashboards',
'Redis servers',
'React2Shell (CVE-2025-29927)'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '2.3 million',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Employment histories',
'Contact details']},
'date_detected': '2025-12-25',
'description': 'A threat group tracked as TeamPCP (also known as PCPcat, '
'ShellForce, and DeadCatx3) has orchestrated a widespread '
'cloud exploitation campaign, converting vulnerable cloud '
'infrastructure into a self-propagating cybercrime platform. '
'The group focuses on exposed cloud control planes, leveraging '
'weak configurations and publicly accessible management '
'interfaces for initial access. The campaign peaked around '
'December 25, 2025, with hundreds of compromised servers '
'running attacker-controlled containers. Targets include '
'exposed Docker APIs, Kubernetes clusters, Ray dashboards, '
'Redis servers, and applications vulnerable to React2Shell '
'(CVE-2025-29927).',
'impact': {'data_compromised': '2.3 million job applicant records (names, '
'birthdates, employment histories, contact '
'details)',
'identity_theft_risk': 'High (due to PII exposure)',
'operational_impact': 'Compromised servers repurposed for '
'malicious activities',
'systems_affected': 'Hundreds of compromised servers'},
'initial_access_broker': {'backdoors_established': True,
'entry_point': ['Exposed Docker APIs',
'Kubernetes clusters',
'Ray dashboards',
'Redis servers']},
'lessons_learned': 'Defensive measures include restricting public access to '
'management APIs, enforcing authentication, preventing '
'privileged containers, and monitoring for unauthorized '
'DaemonSets and job submissions.',
'motivation': ['Cryptomining',
'Proxy and tunneling infrastructure',
'C2 relays',
'Data theft',
'Monetization'],
'post_incident_analysis': {'corrective_actions': ['Restrict public access to '
'management APIs',
'Enforce authentication',
'Prevent privileged '
'containers',
'Monitor for unauthorized '
'activities'],
'root_causes': ['Misconfigured cloud '
'infrastructure',
'Publicly accessible management '
'interfaces']},
'recommendations': ['Restrict public access to management APIs',
'Enforce authentication',
'Prevent privileged containers',
'Monitor for unauthorized DaemonSets and job submissions'],
'references': [{'source': 'Cyber Incident Report'}],
'threat_actor': 'TeamPCP (aka PCPcat, ShellForce, DeadCatx3)',
'title': 'TeamPCP Large-Scale Cloud Exploitation Campaign Targeting '
'Misconfigured Infrastructure',
'type': 'Cloud Exploitation Campaign',
'vulnerability_exploited': ['Misconfigured cloud infrastructure',
'Publicly accessible management interfaces',
'React2Shell (CVE-2025-29927)']}