Cybersecurity researchers have uncovered a massive cloud-native cybercrime campaign by TeamPCP that systematically exploits exposed Docker APIs, Kubernetes clusters, and vulnerable applications to build a self-propagating criminal infrastructure for data theft, ransomware, and cryptocurrency mining.
Cybersecurity researchers have uncovered a massive cloud-native cybercrime campaign that systematically exploits exposed cloud infrastructure to build criminal operations at scale. The activity, observed around December 25, 2025, has been attributed to a threat cluster known as TeamPCP (also operating as DeadCatx3, PCPcat, PersyPCP, and ShellForce).
The Scale of the Operation
The campaign leverages multiple attack vectors including exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the recently disclosed React2Shell vulnerability (CVE-2025-55182, CVSS score: 10.0). Rather than employing novel techniques, TeamPCP relies on tried-and-tested methods, existing tools, known vulnerabilities, and prevalent misconfigurations to automate and industrialize the exploitation process.
"The operation's goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency," said Flare security researcher Assaf Morag in a report published last week.
How TeamPCP Operates
TeamPCP functions as a cloud-native cybercrime platform with distinct tooling for cloud-native targets. The group maintains over 700 members on its Telegram channel where it publishes stolen data from victims across Canada, Serbia, South Korea, the U.A.E., and the U.S.
Core Attack Components
proxy.sh - This central component installs proxy, peer-to-peer, and tunneling utilities while delivering various scanners to continuously search for vulnerable servers. Notably, it performs environment fingerprinting at execution time:
"Early in its runtime, it checks whether it is running inside a Kubernetes cluster. If a Kubernetes environment is detected, the script branches into a separate execution path and drops a cluster-specific secondary payload, indicating that TeamPCP maintains distinct tooling and tradecraft for cloud-native targets rather than relying on generic Linux malware alone."
scanner.py - Designed to find misconfigured Docker APIs and Ray dashboards by downloading CIDR lists from a GitHub account named "DeadCatx3." It also includes options to run cryptocurrency miners.
kube.py - Contains Kubernetes-specific functionality for cluster credential harvesting and API-based discovery of resources like pods and namespaces. It drops "proxy.sh" into accessible pods for broader propagation and sets up persistent backdoors by deploying privileged pods on every node.
react.py - Exploits the React flaw (CVE-2025-29927) to achieve remote command execution at scale.
pcpcat.py - Discovers exposed Docker APIs and Ray dashboards across large IP ranges and automatically deploys malicious containers or jobs that execute Base64-encoded payloads.
Infrastructure and Monetization
The campaign uses a C2 server at 67.217.57[.]240, which has been linked to the Sliver open-source C2 framework. Data shows the threat actors primarily target Amazon Web Services and Microsoft Azure environments, with attacks being opportunistic rather than targeting specific industries.
"What makes TeamPCP dangerous is not technical novelty, but their operational integration and scale," Morag explained. "Deeper analysis shows that most of their exploits and malware are based on well-known vulnerabilities and lightly modified open-source tools."
The group blends infrastructure exploitation with data theft and extortion. Leaked CV databases, identity records, and corporate data are published through ShellForce to fuel ransomware, fraud, and cybercrime reputation building. This hybrid model allows multiple revenue streams and resilience against takedowns.
The Self-Propagating Criminal Ecosystem
Successful exploitation leads to deployment of next-stage payloads from external servers, including shell- and Python-based scripts that seek out new targets for expansion. The compromised infrastructure is misused for cryptocurrency mining, data hosting, proxy services, and command-and-control relays.
"The PCPcat campaign demonstrates a full lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization built specifically for modern cloud infrastructure," Morag noted. "Organizations that run such infrastructure become collateral victims in the process."
The campaign represents a shift toward industrialized cybercrime operations that leverage cloud misconfigurations at scale, transforming exposed infrastructure into a self-propagating criminal ecosystem that's difficult to dismantle once established.
Comments
Please log in or register to join the discussion