- The TeamPCP threat cluster is running a “massive campaign” targeting misconfigured cloud-native infrastructure like Docker and Kubernetes.
- The attacks, observed since December 2025, deploy malware to steal data, deploy ransomware, and mine cryptocurrency for multiple revenue streams.
- The group exploits known vulnerabilities like React2Shell (CVE-2025-55182) and uses a “worm-driven” approach to create a self-propagating criminal ecosystem.
- The operation has already impacted victims across Canada, Serbia, South Korea, the U.A.E., and the U.S.
A significant “worm-driven” cybercrime campaign has targeted cloud-native environments since late December 2025, establishing malicious infrastructure for data theft, extortion, and cryptomining. Cybersecurity firm Flare attributes this sophisticated operation, which exploits exposed Docker APIs and critical vulnerabilities, to the threat cluster known as TeamPCP. “The operation’s goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency,” Flare researcher Assaf Morag said in a report.
Consequently, the group functions as a cloud-native cybercrime platform, misusing compromised resources for additional purposes like proxy relays and command-and-control servers. However, rather than using novel techniques, TeamPCP relies on known tools and misconfigurations to automate and industrialize exploitation. This transforms vulnerable infrastructure into a self-propagating ecosystem, according to analysis.
Successful breaches trigger payloads like “proxy.sh,” which fingerprints environments to deploy targeted malware, particularly within Kubernetes clusters. Other scripts, such as “scanner.py,” fetch target lists from a GitHub account to scan for weak Docker APIs and Ray dashboards while also deploying cryptocurrency miners.
Data shows the campaign primarily singles out Amazon Web Services (AWS) and Microsoft Azure environments in an opportunistic manner. The hybrid model allows the group to monetize both computing power and stolen information, fueling its criminal activities.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
