TeamPCP Worm: How Criminals Exploit the Cloud

February 9, 2026 Faeem BLOGS 0

Cloud infrastructure has become the backbone of modern business—but it’s also becoming the backbone of cybercrime. Researchers recently uncovered a massive worm‑driven campaign by a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, ShellForce). Their goal? To turn misconfigured cloud environments into a self‑propagating criminal ecosystem.

How the Worm Works

TeamPCP doesn’t rely on cutting‑edge exploits. Instead, it weaponizes misconfigurations and known vulnerabilities across cloud‑native environments:

  • Exposed Docker APIs & Kubernetes clusters
  • Ray dashboards & Redis servers
  • React2Shell (CVE‑2025‑55182) with a CVSS score of 10.0

Once inside, the worm deploys payloads like:

  • proxy.sh → Installs proxy, tunneling, and scanning utilities.
  • scanner.py → Finds misconfigured Docker APIs and Ray dashboards.
  • kube.py → Harvests Kubernetes credentials and drops persistent backdoors.
  • react.py → Exploits React/Next.js flaws for remote command execution.
  • pcpcat.py → Deploys malicious containers across large IP ranges.

What Makes TeamPCP Dangerous

  • Scale over novelty: They industrialize exploitation, automating scanning, persistence, and monetization.
  • Cloud‑native focus: Distinct tooling for Kubernetes and modern cloud stacks.
  • Hybrid monetization: Mining cryptocurrency, exfiltrating data, publishing leaks, and enabling ransomware/extortion.
  • Community building: Their Telegram channel has 700+ members, fueling reputation and recruitment.

Who’s at Risk?

TeamPCP primarily targets AWS and Azure environments, but any exposed cloud service can become collateral damage. Victims span industries and geographies, including Canada, Serbia, South Korea, the UAE, and the U.S.

Defensive Takeaways

  • Audit cloud configurations: Lock down Docker, Kubernetes, Redis, and dashboards.
  • Patch known CVEs: Especially React2Shell and other high‑severity flaws.
  • Monitor for persistence: Look for privileged pods or unusual proxy/tunneling activity.
  • Threat intelligence integration: Track IoCs linked to TeamPCP infrastructure (e.g., C2 nodes like 67.217.57[.]240).

Final Thought

TeamPCP shows that cloud misconfigurations are the new ransomware gateways. Their worm doesn’t just compromise servers—it builds a criminal infrastructure at scale, blending exploitation with monetization. For defenders, the lesson is clear: cloud security hygiene is non‑negotiable.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.