TeamPCP is a sophisticated worm-driven cybercrime campaign targeting cloud-native environments by exploiting exposed management interfaces and known vulnerabilities. The campaign, active since at least November 2025, leverages exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and notably the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) to gain initial access and propagate. The worm automates scanning large IP ranges for misconfigured services using payloads like scanner.py and pcpcat.py, which deploy malicious containers or jobs encoded in Base64. Once inside, it uses kube.py to harvest Kubernetes cluster credentials, discover resources, and deploy privileged pods that mount the host filesystem, enabling persistence and lateral movement. The proxy.sh payload installs proxy, P2P, and tunneling utilities, performing environment fingerprinting to tailor payloads for Kubernetes clusters. React.py exploits React/Next.js flaws for remote code execution at scale. The compromised infrastructure supports multiple criminal activities including data exfiltration, ransomware deployment, cryptocurrency mining, proxy and C2 relays, and hosting stolen data. The threat actor, known as TeamPCP (also DeadCatx3, PCPcat, PersyPCP, ShellForce), operates a Telegram channel with over 700 members, publishing stolen data from victims across multiple countries. The campaign primarily targets cloud environments on AWS and Azure opportunistically, turning affected organizations into collateral victims. The operation uses well-known vulnerabilities and lightly modified open-source tools, emphasizing operational scale and integration rather than novel techniques. The C2 infrastructure includes nodes running Sliver, an open-source post-exploitation framework. This hybrid model of monetizing both compute resources and stolen information enhances resilience and revenue streams for the threat actor. The campaign demonstrates a full attack lifecycle from scanning and exploitation to persistence, tunneling, data theft, and monetization tailored for modern cloud infrastructure.

European organizations utilizing cloud-native infrastructure, especially those on AWS and Microsoft Azure, face significant risks from TeamPCP. The worm’s ability to exploit exposed Docker and Kubernetes APIs and critical vulnerabilities like React2Shell can lead to unauthorized access, data breaches, and persistent backdoors within cloud environments. This compromises confidentiality through data exfiltration, integrity via unauthorized code execution and ransomware deployment, and availability by potentially disrupting cloud services or mining cryptocurrency on victim resources. The campaign’s opportunistic targeting means any organization with misconfigured or exposed cloud management interfaces is vulnerable, increasing the attack surface across sectors. The publication of stolen data on public Telegram channels can lead to reputational damage, regulatory penalties under GDPR, and increased risk of follow-on attacks such as fraud and ransomware. The use of compromised infrastructure for proxying and C2 relays also poses risks of indirect involvement in broader cybercrime activities. The operational scale and automation of TeamPCP increase the likelihood of widespread impact, making it a significant threat to European cloud-reliant enterprises.

European organizations should implement strict access controls and network segmentation to limit exposure of Docker APIs, Kubernetes dashboards, Ray dashboards, and Redis servers to the internet. Employ robust authentication and authorization mechanisms, including role-based access control (RBAC) for Kubernetes clusters, and disable or restrict unused management interfaces. Regularly apply security patches, especially for critical vulnerabilities like React2Shell (CVE-2025-55182) and React/Next.js flaws. Deploy continuous monitoring and anomaly detection tailored for cloud environments to identify unusual scanning, container deployments, or proxy/tunneling activity indicative of TeamPCP payloads. Use cloud provider security tools to audit and remediate misconfigurations and enforce least privilege principles. Implement runtime security controls such as container security platforms that detect unauthorized container creation or privilege escalation. Conduct threat hunting focused on indicators of compromise related to TeamPCP payloads (e.g., proxy.sh, scanner.py, kube.py) and monitor known C2 infrastructure IPs. Educate cloud administrators on secure configuration best practices and the risks of exposed APIs. Consider network-level filtering to block known malicious IPs and restrict outbound traffic from cloud workloads to prevent data exfiltration and C2 communication. Finally, maintain incident response plans specific to cloud-native environments to rapidly contain and remediate infections.