Cybersecurity researchers have uncovered a "massive campaign" orchestrated by the threat group TeamPCP, which systematically exploits cloud-native environments to establish malicious infrastructure. The worm-driven activity, observed since late 2025, leverages vulnerabilities and misconfigurations in Docker, Kubernetes, Ray, and Redis to facilitate data theft, ransomware deployment, extortion, and cryptocurrency mining.

Key Takeaways

• TeamPCP is exploiting exposed cloud services and vulnerabilities like React2Shell (CVE-2025-55182) to build criminal infrastructure.

• The group aims to create a distributed proxy and scanning network for various illicit activities.

• Compromised infrastructure is used for cryptocurrency mining, data hosting, and command-and-control relays.

• TeamPCP utilizes a hybrid model, monetizing both compute resources and stolen data.

Exploiting Cloud Weaknesses

The TeamPCP worm targets misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, alongside the critical React2Shell vulnerability. This allows the threat actors to gain access to modern cloud infrastructure, turning it into a "self-propagating criminal ecosystem." The operation's primary goals include building a large-scale proxy and scanning infrastructure, exfiltrating data, deploying ransomware, and mining cryptocurrency.

TeamPCP's Modus Operandi

TeamPCP, also known by aliases such as DeadCatx3 and ShellForce, has been active since at least November 2025. The group maintains a Telegram channel with over 700 members, where they share stolen data from victims across various countries, including the U.S., Canada, Serbia, South Korea, and the U.A.E. Their approach relies on established attack techniques, known vulnerabilities, and common misconfigurations rather than novel methods.

The Worm's Payload and Functionality

Once a system is compromised, the worm deploys next-stage payloads from external servers. A core component, "proxy.sh," installs proxy, peer-to-peer (P2P), and tunneling utilities, along with scanners to continuously search for vulnerable servers. Notably, "proxy.sh" performs environment fingerprinting and deploys cluster-specific payloads if a Kubernetes environment is detected, indicating specialized tooling for cloud-native targets.

Other payloads include:

• scanner.py: Discovers misconfigured Docker APIs and Ray dashboards, and can deploy a cryptocurrency miner.

• kube.py: Harvests Kubernetes credentials, discovers resources, and deploys "proxy.sh" into accessible pods, establishing persistence by mounting the host.

• react.py: Exploits the React flaw (CVE-2025-29927) for remote command execution.

• pcpcat.py: Discovers exposed Docker APIs and Ray dashboards, deploying malicious containers or jobs.

Targeting and Monetization

Data indicates that TeamPCP primarily targets Amazon Web Services (AWS) and Microsoft Azure environments. The attacks are opportunistic, focusing on infrastructure that serves their goals, making organizations running such infrastructure "collateral victims." The group employs a hybrid model, combining infrastructure exploitation with data theft and extortion. Stolen data, including CV databases and corporate records, is published via ShellForce to fuel ransomware operations, fraud, and enhance their cybercrime reputation, providing multiple revenue streams and resilience.

Sources

• TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure, The Hacker News.