Introduction
TeamPCP, also recognized as PCPcat, ShellForce, and DeadCatx3, surfaced in late 2025 as a prominent threat to cloud environments. The group targets vulnerable Docker APIs, Kubernetes clusters, and Redis servers, among other systems. Their recent campaign aims to develop a large-scale proxy and scanning setup to compromise servers for various malicious activities, including data theft and cryptocurrency mining.
Their operations witnessed a significant spike during the Christmas season of 2025, with activities subsequently diminishing. Despite this, the group continued to boast about their exploits on Telegram channels, indicating their ongoing influence in the cyber realm.
Strategic Exploitation and Automation
What distinguishes TeamPCP is their operational scale rather than groundbreaking techniques. They leverage known vulnerabilities to establish a cloud-based exploitation platform, effectively turning compromised infrastructure into a self-sustaining criminal network. Their strength lies in automating processes to repurpose servers for cryptomining, data hosting, and more.
Flare researchers have identified 185 servers compromised by TeamPCP, running attacker-deployed containers with consistent command patterns. This provides insights into their methodologies. A primary command-and-control node was detected on numerous hosts, with additional infrastructure identified, suggesting redundancy strategies or potential infrastructure changes.
Targeted Sectors and Geographic Impact
The majority of the leaked data originates from Western countries, impacting sectors like e-commerce, finance, and human resources. Notably, cloud infrastructures are predominantly affected, with Azure and AWS accounting for 97% of compromised servers. This highlights the widespread reach of TeamPCP’s operations.
TeamPCP begins its operations by scanning vast IP ranges to find exposed Docker APIs and Ray dashboards. Once access is obtained, they remotely deploy malicious containers or tasks through unauthenticated management interfaces, furthering their reach.
Advanced Propagation Techniques
TeamPCP employs a script, proxy.sh, as the cornerstone of their campaign. This script installs necessary proxy and peer-to-peer tools, ensuring persistent scanning for vulnerable servers. It systematically registers system services to maintain these infected hosts as active nodes in their network.
Upon detecting Kubernetes setups, the script adapts by deploying cluster-specific payloads, showcasing their tailored approach for cloud-native environments. This strategy emphasizes TeamPCP’s focus on leveraging cloud-specific vulnerabilities over traditional malware tactics.
Conclusion
TeamPCP’s operations exemplify the evolving landscape of cybercrime, where cloud environments are increasingly targeted. Their ability to automate and scale their operations presents a significant threat to cloud security. As their tactics continue to develop, organizations must prioritize securing their cloud infrastructures to mitigate potential risks.
