Listen to this Post
In a striking demonstration of modern cybercrime, a threat group known as TeamPCP—also tracked under aliases like PCPcat, ShellForce, and DeadCatx3—has orchestrated a large-scale campaign that turns vulnerable cloud infrastructure into a self-propagating cybercrime platform. Unlike conventional malware attacks that target personal computers, TeamPCP focuses on misconfigured cloud environments, exploiting weakly secured Docker APIs, Kubernetes clusters, Redis servers, and vulnerable web applications. This campaign highlights the growing risks of exposed cloud workloads and the need for proactive security measures.
Active since late 2025, TeamPCP leverages misconfigurations rather than zero-day exploits, turning publicly accessible management interfaces into gateways for persistent attacks. Researchers observed the campaign peaking around December 25, 2025, when hundreds of compromised servers began executing attacker-controlled containers. At one stage, investigators confirmed at least 185 Docker server compromises, though the actual scale is likely far larger.
The attack infrastructure revolves around an automated script called proxy.sh, which functions as the operational backbone. Once deployed, it installs tunneling tools like FRPS and gost, initiates system scanners, establishes persistence through system services, and searches for additional exposed targets. On Kubernetes environments, a secondary module called kube.py is deployed, enabling credential harvesting, lateral movement across pods, and privileged DaemonSet deployments that mount the host filesystem for long-term control. Meanwhile, react.py exploits React2Shell (CVE-2025-29927) vulnerabilities in Next.js applications, exfiltrating environment variables, SSH keys, cloud credentials, Git tokens, and sensitive .env files to attacker-controlled servers.
TeamPCP also operates a high-volume scanner, pcpcat.py, which sweeps large CIDR ranges for exposed Docker and Ray APIs. Any discovered system is automatically infected with proxy.sh, creating a worm-like propagation loop, where every compromised machine becomes a scanner and attack vector. Additional payloads include hidden XMRig cryptominers, generating passive income while the infrastructure is repurposed for further attacks.
The group’s monetization strategy is diverse and hybrid. Compromised servers are transformed into:
Cryptomining nodes
Proxy and tunneling servers
Command-and-control relays
Internet scanning platforms
Data theft staging servers
In one documented case, TeamPCP leaked over 2.3 million recruitment records, including names, birthdates, employment history, and contact details. The majority of compromised infrastructure resides on public cloud platforms, with Azure accounting for 61% of victims and AWS 36%. This cloud-first approach reflects the group’s focus on industrial-scale attacks rather than targeting personal devices.
Despite its sophistication, TeamPCP primarily leverages automation and scale, using modified open-source tools rather than groundbreaking exploits. Security experts emphasize that the group’s power comes from industrializing known cloud weaknesses, particularly exposed Docker, Kubernetes, and Redis services. Effective defense requires cloud-native security controls, including restricting public API access, enforcing authentication, network segmentation, monitoring for unauthorized containers or DaemonSets, rotating secrets, and scanning images for exposed credentials.
What Undercode Say:
TeamPCP represents a shift in the cybercrime paradigm: from isolated endpoint attacks to massive, cloud-first operations. Their success is less about novel vulnerabilities and more about automation, orchestration, and the sheer scale of operations. By combining scanning, exploitation, lateral movement, and monetization into one continuous loop, TeamPCP demonstrates how weak cloud configurations can be weaponized into a self-propagating infrastructure.
The campaign underscores a critical security lesson: misconfigurations are as dangerous as zero-day exploits. Organizations often overlook exposed APIs, improperly secured Kubernetes clusters, and default Docker configurations. Attackers like TeamPCP exploit these gaps systematically, converting public cloud resources into multipurpose criminal platforms.
From a technical perspective, proxy.sh, kube.py, and react.py illustrate modular attack design, where each component specializes in persistence, propagation, or credential harvesting. This modularity increases operational efficiency and lowers detection probability. The use of worm-like scanners to autonomously identify and compromise new targets is a force multiplier, enabling rapid scaling without human intervention.
TeamPCP’s hybrid monetization strategy is also notable. While cryptomining provides a steady, low-risk revenue stream, proxies, C2 relays, and stolen data expand the value of each compromised server. Data leaks, such as the recruitment records incident, highlight the dual financial and reputational impact of cloud exploitation campaigns.
Defensive strategies must evolve accordingly. Traditional endpoint-centric security is insufficient. Organizations must embrace cloud-native monitoring, automated secrets management, and strict API exposure controls. Detection of anomalous DaemonSets, unexpected container deployments, and large-scale scanning traffic is essential. Furthermore, integrating automated vulnerability scanning with proactive configuration hardening could dramatically reduce TeamPCP’s attack surface.
Finally, the campaign demonstrates the industrialization of cybercrime in cloud environments. Threat actors are moving beyond opportunistic attacks toward automated, repeatable, high-scale operations. This evolution demands that cloud operators, security teams, and policymakers recognize the systemic risks of exposed cloud workloads and implement comprehensive, multi-layered defenses.
Fact Checker Results:
✅ TeamPCP targets exposed cloud infrastructure, not personal devices.
✅ The campaign relies on misconfigurations rather than zero-day exploits.
✅ Compromised servers are used for cryptomining, proxies, C2 relays, and data exfiltration.
Prediction:
💡 The rise of automated, worm-like cloud exploitation campaigns is likely to increase in frequency and scale throughout 2026, with threat actors increasingly monetizing compromised cloud workloads. Organizations that fail to enforce cloud-native security controls may face repeated, industrial-scale breaches, potentially combining cryptomining, proxy abuse, and sensitive data leaks in a single attack chain.
If you want, I can also make a visual diagram of TeamPCP’s attack chain, showing propagation, credential theft, and monetization for easier understanding. It would complement the article perfectly. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
