Cloud-Native Attacks: TeamPCP Industrializes Worm for Ransomware and Data Theft

A sophisticated cybercrime group, TeamPCP, has launched a widespread, worm-driven campaign targeting critical cloud-native infrastructure, including Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. This operation, active since late 2025, leverages misconfigurations and vulnerabilities like the critical React2Shell (CVE-2025-55182) to establish a persistent and self-propagating criminal network. The primary objective is financial gain through data exfiltration, ransomware deployment, extortion, and cryptocurrency mining, impacting organizations across multiple continents. This incident underscores a critical shift in cybercrime tactics, focusing on industrializing attacks against the core components of modern cloud environments.

The Industrialization of Cloud Exploitation

TeamPCP’s campaign represents a significant evolution in cybercrime, moving beyond one-off compromises to establish a scalable, automated platform for cloud exploitation. By meticulously targeting the interconnected fabric of cloud-native technologies—from exposed APIs to container orchestration—the group has engineered a worm that effectively creates a distributed criminal infrastructure. This approach allows them to quickly onboard new compromised systems, turning them into resources for various illicit activities. The exploitation of known vulnerabilities alongside common misconfigurations highlights a crucial vulnerability gap: the rapid adoption of cloud services often outpaces the implementation of comprehensive security hygiene. The group’s use of a Telegram channel to publicize stolen data further underscores their calculated approach to extortion and reputation building within the cybercriminal underground, reinforcing the financial drivers behind these sophisticated operations.

Strategic Implications for Cloud Security

The TeamPCP campaign reveals a critical inflection point in cybersecurity: the industrialization of cloud-native attacks. This is not merely a series of isolated incidents, but a systemic assault designed to continuously compromise and repurpose cloud infrastructure for maximum financial gain. For organizations, this means that traditional perimeter-based security is increasingly insufficient. The focus must shift to securing the entire cloud-native attack surface, from development pipelines to runtime environments. The opportunistic nature of TeamPCP’s targeting implies that any entity with misconfigured or vulnerable cloud assets is at risk, irrespective of sector or size. This necessitates a proactive, continuous security posture that incorporates robust vulnerability management, stringent access controls for cloud interfaces, and sophisticated detection capabilities for lateral movement and C2 communications within cloud environments. Failure to adapt to these evolving threat models will leave organizations highly susceptible to sophisticated, automated attacks.

Actionable Recommendations

To effectively counter sophisticated cloud-native threats like TeamPCP, defenders must adopt a multi-layered, proactive security strategy. Beyond the immediate remediation of identified vulnerabilities, a fundamental shift in operational security practices is required:

• Continuous Cloud Posture Assessment: Implement automated Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) solutions to continuously identify and remediate misconfigurations and vulnerabilities across your entire cloud footprint.
• Strict Access Control and Network Segmentation: Ensure all cloud-native interfaces (Docker, Kubernetes, Ray, Redis) are not publicly exposed. Apply the principle of least privilege rigorously, segment cloud networks, and restrict traffic flow to only what is absolutely essential for operations.
• Advanced Threat Detection in Cloud Environments: Deploy cloud-native threat detection capabilities that can identify anomalous behavior, credential harvesting attempts (as seen with kube.py), and suspicious outbound C2 communications (e.g., to Sliver C2 infrastructure).
• Proactive Vulnerability Patching and Management: Establish and enforce a rapid patching cadence for all cloud services, applications, and frameworks, with particular attention to critical vulnerabilities like React2Shell (CVE-2025-55182).
• Incident Response Playbooks for Cloud: Develop and regularly test incident response playbooks specifically tailored for cloud environments, including procedures for isolating compromised containers, revoking API keys, and restoring services securely.

The Evolving Cloud Threat Landscape

The TeamPCP campaign serves as a powerful reminder that the cloud attack surface is constantly evolving, and adversaries are rapidly industrializing their methods. Organizations must recognize that securing cloud-native environments requires a continuous, adaptive approach that extends beyond traditional security paradigms. Proactive vulnerability management, stringent configuration enforcement, and advanced threat detection are no longer optional but essential for defending against well-resourced and automated cybercrime groups. The battle for cloud security will be won by those who prioritize continuous vigilance and a deep understanding of cloud-native attack vectors.

What Happened

Around December 25, 2025, a cybercrime group known as TeamPCP initiated a large-scale, worm-driven campaign targeting cloud-native environments. The operation systematically compromised misconfigured and vulnerable cloud infrastructure, including Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. The attackers also exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access. The primary goal of the campaign was to build a distributed criminal infrastructure for subsequent attacks, including data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. The campaign impacted organizations globally, with victims identified in Canada, Serbia, South Korea, the U.A.E., and the U.S., primarily targeting infrastructure hosted on Amazon Web Services (AWS) and Microsoft Azure.

Attack Chain and Technical Mechanics

TeamPCP’s attack chain is notable for its automation and its focus on cloud-native technologies. The process begins with broad, opportunistic scanning of the internet for common misconfigurations and known vulnerabilities.

1. Initial Access: The threat actor gains entry by exploiting exposed Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and the React2Shell (CVE-2025-55182) vulnerability in React/Next.js applications.
2. Payload Deployment: Upon successful exploitation, the attackers deploy a suite of shell and Python-based scripts. A core component, “proxy.sh,” is used to install proxy, P2P, and tunneling utilities. This script also performs environment fingerprinting to detect if it is running within a Kubernetes cluster.
3. Environment-Specific Tooling: If a Kubernetes environment is detected, “proxy.sh” deploys a cluster-specific secondary payload, “kube.py.” This script is designed for credential harvesting and discovery of Kubernetes resources like pods and namespaces. It then propagates “proxy.sh” to other accessible pods and establishes persistence by deploying a privileged pod on each node.
4. Automated Propagation and Scanning: Other scripts, such as “scanner.py” and “pcpcat.py,” are used to find new targets. “scanner.py” fetches CIDR lists from a GitHub repository to identify misconfigured Docker APIs and Ray dashboards. “pcpcat.py” automates the deployment of malicious containers or jobs on newly discovered vulnerable systems. The script “react.py” is specifically used to exploit the React2Shell vulnerability at scale.
5. Command and Control: The compromised infrastructure communicates with a C2 server located at 67.217.57[.]240, which has been linked to the Sliver C2 framework. This allows the threat actor to manage their network of compromised systems for various malicious activities.

Threat Actor Behavior and Intent

TeamPCP, also known as DeadCatx3, PCPcat, PersyPCP, and ShellForce, has been active since at least November 2025. The group operates as a cloud-native cybercrime platform, demonstrating a clear intent to industrialize the process of compromising and repurposing cloud infrastructure. Their primary motivation appears to be financial, with activities including cryptocurrency mining, ransomware, data theft, and extortion. The group maintains a Telegram channel with over 700 members, where they publish stolen data to build their reputation and pressure victims. TeamPCP’s tradecraft is not characterized by novel techniques but by the effective integration and automation of well-known exploits and open-source tools. This approach allows them to operate at a significant scale, transforming disparate compromised systems into a cohesive, self-propagating criminal ecosystem.

Strategic and Defensive Implications

The TeamPCP campaign highlights a significant trend in cybercrime: the shift towards targeting the foundational technologies of modern cloud infrastructure. By focusing on APIs, container orchestration platforms, and common development frameworks, the attackers exploit systemic weaknesses that are prevalent across many organizations. This incident serves as a stark reminder that the speed of cloud adoption often outpaces the implementation of robust security practices. The opportunistic nature of the attacks means that any organization with a vulnerable cloud presence is a potential target, regardless of its industry. The campaign’s success underscores the need for a defense-in-depth approach to cloud security that goes beyond traditional perimeter defenses and focuses on securing the entire cloud-native stack.

What We Know — and What We Don’t

What We Know:

• • TeamPCP is a financially motivated cybercrime group active since at least November 2025.
  • The campaign uses a worm-like mechanism to propagate through vulnerable cloud infrastructure.
  • Initial access vectors include exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability (CVE-2025-55182).
  • The attackers use a variety of custom scripts (proxy.sh, kube.py, scanner.py, react.py, pcpcat.py) to automate their attacks.
  • The compromised infrastructure is used for cryptocurrency mining, data theft, ransomware, and as a proxy network.

– A C2 server at 67.217.57[.]240, linked to the Sliver framework, is used in the campaign.

What We Don’t Know:

• The precise number of victims and the full extent of the data compromised remain unknown.
• The specific identities of the individuals behind TeamPCP are not yet publicly known.
• The full capabilities of all the malware and tools used by the group have not been detailed.

What Defenders Should Take Away

Defenders should prioritize the following actions based on the TTPs observed in this campaign:

1. Secure Cloud-Native Interfaces: Regularly audit and secure all cloud-native interfaces, including Docker APIs, Kubernetes APIs, Ray dashboards, and Redis servers. Avoid exposing these interfaces to the public internet unless absolutely necessary, and implement strong authentication and access controls.
2. Vulnerability Management: Ensure timely patching of all software, with a particular focus on web application frameworks like React/Next.js. The exploitation of the React2Shell vulnerability demonstrates the importance of addressing critical vulnerabilities as soon as patches are available.
3. Cloud Security Posture Management (CSPM): Implement CSPM tools to continuously monitor for and remediate misconfigurations in your cloud environment. This can help to identify and close the security gaps that TeamPCP and similar groups exploit.
4. Egress Traffic Monitoring: Monitor outbound traffic for connections to known malicious IP addresses and C2 frameworks like Sliver. This can help to detect and contain infections early in the attack lifecycle.
5. Kubernetes Security: Implement robust security measures for Kubernetes environments, including network segmentation, least-privilege access controls, and the use of admission controllers to prevent the deployment of privileged or malicious pods.