Cybersecurity researchers warned of a “massive campaign” that systematically targets cloud-native environments and sets up malicious infrastructure for subsequent exploitation.
The activity, observed around December 25, 2025 and described as “worm-driven,” leveraged the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability, as well as exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. This campaign is believed to originate from the threat cluster known as TeamPCP (also known as DeadCatx3, PCPcat, PersyPCP, and ShellForce).
TeamPCP is known to have been active since at least November 2025, with its first Telegram activity dating back to July 30, 2025. The TeamPCP Telegram channel currently has over 700 members, and the group has published stolen data from various victims in Canada, Serbia, South Korea, UAE, and the United States. Details of the threat actor were first documented by Beelzebub in December 2025 under the name Operation PCPcat.
“The objective of this operation was to build a large-scale distributed proxy and scanning infrastructure, compromise servers and steal data, deploy ransomware, conduct extortion, and mine cryptocurrencies,” Flair security researcher Asaf Morag said in a report released last week.
TeamPCP is said to function as a cloud-native cybercrime platform, leveraging misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications as primary infection vectors to infiltrate modern cloud infrastructures and facilitate data theft and extortion.
Additionally, compromised infrastructure can be exploited for a wide range of other purposes, from cryptocurrency mining and data hosting to proxies and command-and-control (C2) relays.
Rather than adopting new technologies, TeamPCP relies on proven attack techniques, including existing tools, known vulnerabilities, and pervasive misconfigurations, to build an exploitation platform that automates and industrializes the entire process. This turns exposed infrastructure into a “self-propagating criminal ecosystem,” Flair said.
Successful exploitation paves the way for next stage payload deployment from external servers, such as shell-based or Python-based scripts that seek new targets for further expansion. One of the core components is ‘proxy.sh’, which installs proxy, peer-to-peer (P2P), and tunneling utilities, and provides various scanners to continuously search the Internet for vulnerable or misconfigured servers.
“In particular, proxy.sh performs environment fingerprinting at runtime,” Morag said. “Early at runtime, checks whether it is running in a Kubernetes cluster.”
“When a Kubernetes environment is detected, the script branches to a separate execution path and drops a cluster-specific secondary payload. This shows that TeamPCP maintains its own tools and tradecraft for cloud-native targets, rather than relying solely on generic Linux malware.”
A brief description of the other payloads is as follows:
Scanner.py is designed to detect misconfigured Docker APIs and Ray dashboards by downloading the classless interdomain routing (CIDR) list from a GitHub account named “DeadCatx3” and also has an option to run a cryptocurrency miner (“mine.sh”). kube.py contains Kubernetes-specific functionality to collect cluster credentials and perform API-based discovery of resources such as pods and namespaces. We then drop ‘proxy.sh’ on an accessible pod to achieve wider propagation and set up a persistent backdoor by deploying a privileged pod on every node that mounts the host. It is designed to exploit a flaw in React (CVE-2025-29927) to achieve remote command execution at scale. pcpcat.py is designed to discover exposed Docker APIs and Ray dashboards across large IP address ranges and automatically deploy malicious containers or jobs that execute Base64-encoded payloads.
Flare said the C2 server node is located at 67.217.57.[.]240 is also linked to the operation of Sliver, an open source C2 framework known to be exploited by threat actors for post-exploitation purposes.
Data from the cybersecurity firm shows that attackers are primarily targeting Amazon Web Services (AWS) and Microsoft Azure environments. This attack is assessed to be opportunistic in nature, not targeting any specific industry, but primarily targeting the infrastructure that supports its objectives. As a result, organizations operating such infrastructure become “collateral victims” in the process.
“The PCPcat campaign demonstrates a complete lifecycle of scanning, exploitation, persistence, tunneling, data theft and monetization built specifically for modern cloud infrastructure,” said Morag. “What makes TeamPCP dangerous is not its technological novelty, but its operational integration and scale. Further analysis shows that most of their exploits and malware are based on well-known vulnerabilities and lightly modified open source tools.”
“At the same time, TeamPCP combines infrastructure abuse with data theft and extortion. Leaked resume databases, identity records, and corporate data are exposed through ShellForce, facilitating reputation building for ransomware, fraud, and cybercrime. This hybrid model allows the group to monetize both computing and information, giving it multiple revenue streams and resiliency against takedowns.”
Source link
