TeamPCP’s Malicious Campaign Exploits Telnyx Services to Target Cloud Infrastructures
In a recent development, cybersecurity experts have identified a sophisticated campaign orchestrated by the threat group known as TeamPCP. This operation leverages Telnyx services to deploy malicious payloads, aiming to compromise cloud-native environments. The campaign, active since late December 2025, has raised significant concerns due to its scale and the advanced techniques employed.
Background on TeamPCP
TeamPCP, also recognized by aliases such as DeadCatx3, PCPcat, PersyPCP, and ShellForce, has been active since at least November 2025. The group’s presence was first noted on Telegram on July 30, 2025, where they have since amassed over 700 members. Their activities include publishing stolen data from victims across various countries, including Canada, Serbia, South Korea, the United Arab Emirates, and the United States. Initial documentation of TeamPCP’s operations was provided by Beelzebub in December 2025.
Exploitation of Telnyx Services
Telnyx, a global communications platform offering voice, messaging, and data services, has been exploited by TeamPCP to facilitate their malicious activities. By utilizing Telnyx’s infrastructure, the group has been able to distribute malware payloads efficiently, targeting cloud-native environments. This method allows them to bypass traditional security measures, making detection and mitigation more challenging.
Technical Details of the Campaign
The campaign is characterized by its worm-driven approach, which involves self-propagating malware that spreads across networks without human intervention. TeamPCP has exploited several vulnerabilities and misconfigurations to achieve this:
– Exposed Docker APIs: By targeting unsecured Docker APIs, the attackers can deploy malicious containers, gaining control over the host systems.
– Kubernetes Clusters: Misconfigured Kubernetes clusters have been compromised, allowing the attackers to deploy and manage malicious pods within the cluster environment.
– Ray Dashboards: Ray, a distributed computing framework, has dashboards that, if left exposed, can be exploited to execute arbitrary code.
– Redis Servers: Unsecured Redis instances have been targeted to store and execute malicious scripts, facilitating further exploitation.
– React2Shell Vulnerability (CVE-2025-55182): This critical vulnerability, with a CVSS score of 10.0, allows for remote code execution. TeamPCP has actively exploited this flaw to gain unauthorized access to systems.
Implications for Cloud Security
The exploitation of Telnyx services by TeamPCP underscores the evolving nature of cyber threats targeting cloud infrastructures. By leveraging legitimate communication platforms, attackers can distribute malware more effectively, complicating detection efforts. This campaign highlights the need for organizations to:
– Secure APIs and Services: Ensure that all APIs and services, such as Docker and Kubernetes, are properly configured and secured to prevent unauthorized access.
– Monitor Communication Channels: Regularly monitor and audit communication channels and services to detect any unauthorized or suspicious activities.
– Patch Vulnerabilities Promptly: Stay informed about critical vulnerabilities like React2Shell and apply patches promptly to mitigate potential exploits.
Conclusion
TeamPCP’s recent campaign exploiting Telnyx services to target cloud-native environments serves as a stark reminder of the sophisticated methods employed by modern cyber adversaries. Organizations must adopt a proactive approach to cybersecurity, ensuring that their cloud infrastructures are resilient against such advanced threats.
