TeamPCP Worm Turns Cloud Misconfigs Into Cybercrime Platform

A self-propagating worm campaign has turned at least 60,000 cloud servers into a distributed cybercrime platform. The operation, attributed to a group calling themselves TeamPCP, exploits misconfigured Docker APIs, Kubernetes clusters, and the critical React2Shell vulnerability to build infrastructure for cryptomining, ransomware deployment, and proxy services.

Flare researchers documented the campaign, which began around Christmas 2025 and continues expanding. Unlike targeted intrusions, TeamPCP operates opportunistically—any exposed cloud service becomes a victim.

How the Worm Spreads

TeamPCP's operation leverages multiple attack vectors simultaneously. Each compromised server scans for and infects the next vulnerable target, creating exponential growth.

The primary infection paths include:

• Exposed Docker APIs - Unauthenticated Docker daemons allow arbitrary container deployment
• Kubernetes clusters - Misconfigured RBAC enables credential harvesting and persistent backdoors
• Ray dashboards - Unprotected machine learning infrastructure provides compute access
• Redis servers - Open instances serve as beachheads into internal networks
• React/Next.js applications - CVE-2025-55182 (CVSS 10.0) enables remote command execution

The worm's modular design uses specialized Python scripts for each function. scanner.py identifies targets using GitHub-hosted CIDR lists. kube.py harvests Kubernetes credentials and deploys backdoors. react.py exploits vulnerable React applications. pcpcat.py discovers exposed services across IP ranges.

Monetization at Scale

What sets TeamPCP apart isn't technical sophistication—their exploits and malware are mostly based on known vulnerabilities and lightly modified open-source tools. The threat lies in operational integration.

Compromised servers serve multiple purposes:

1. Cryptomining - Direct revenue through unauthorized computing resources
2. Proxy services - Selling access to other criminals for anonymization
3. Scanning infrastructure - Distributed reconnaissance for future attacks
4. C2 relays - Hosting command infrastructure for ransomware operations
5. Data exfiltration - Harvesting credentials and sensitive files for extortion

The group operates a Telegram channel with over 700 members where they publish stolen data from victims across Canada, Serbia, South Korea, the UAE, and the United States. This public shaming mirrors ransomware gang tactics but applies to a broader victim base.

Attribution and Timeline

TeamPCP—also tracked as DeadCatx3, PCPcat, PersyPCP, and ShellForce—has been active since at least November 2025, with their first documented Telegram activity dating to July 2025. The Christmas campaign represented a significant escalation in scale.

The group's C2 infrastructure centers on 67.217.57[.]240, which researchers linked to Sliver C2 framework operations. Their GitHub account under the DeadCatx3 handle hosts CIDR scanning lists used in target identification.

Who's at Risk

Any organization running cloud infrastructure with default or misconfigured access controls faces exposure. The worm doesn't discriminate by industry—it targets "opportunistic infrastructure" rather than specific verticals.

High-risk configurations include:

• Docker daemons bound to 0.0.0.0:2375/2376 without TLS
• Kubernetes API servers accessible without authentication
• Ray dashboards exposed without access controls
• Redis instances accessible from the internet
• React/Next.js applications unpatched against CVE-2025-55182

The 60,000+ compromised servers already represent significant blast radius, but the worm continues propagating. Organizations that patched React2Shell after our initial coverage may have avoided this specific campaign, but the other attack vectors remain active.

Defensive Recommendations

Flare's analysis suggests straightforward mitigations can break the infection chain:

1. Audit cloud API exposure - Enumerate all Docker, Kubernetes, and Redis instances accessible from the internet
2. Enforce authentication everywhere - No management interface should accept anonymous connections
3. Patch React2Shell immediately - CVE-2025-55182 remains under active mass exploitation
4. Monitor for IOCs - Block traffic to 67.217.57[.]240 and audit for connections to TeamPCP infrastructure
5. Review Kubernetes RBAC - Ensure service accounts follow least-privilege principles

The campaign demonstrates that cloud security basics still fail at scale. TeamPCP isn't exploiting novel vulnerabilities or sophisticated techniques—they're harvesting the low-hanging fruit of misconfigured infrastructure. For organizations with mature cloud security, this campaign is background noise. For everyone else, it's a wake-up call that default configurations aren't acceptable in production.