EXECUTIVE SUMMARY:
TeamPCP, also referred to by aliases such as PCPcat, ShellForce, and DeadCatx3, represents an emerging cloud-native ransomware and exploitation campaign observed targeting modern cloud infrastructure. Unlike traditional ransomware operations that focus on endpoints or enterprise networks, this campaign primarily abuses exposed cloud services and orchestration layers, including Docker APIs, Kubernetes clusters, Redis instances, Ray dashboards, and vulnerable web frameworks. The operation is characterized by heavy automation, enabling rapid scanning, exploitation, and propagation across misconfigured environments. The campaign leverages publicly known vulnerabilities, such as React2Shell, alongside weak access controls to gain initial access and execute malicious code remotely. Once access is achieved, compromised systems are repurposed for a range of malicious objectives including ransomware deployment, data theft, cryptomining, and the establishment of proxy and tunneling infrastructure. Rather than relying on a single payload, the activity reflects a coordinated, worm-like approach that turns cloud workloads into interconnected nodes within a larger criminal ecosystem.
The campaign operates through a modular toolset designed to automate discovery, exploitation, and persistence across cloud environments. A central script acts as an initial payload, deploying scanning utilities, proxy components, and persistence mechanisms that allow compromised hosts to survive restarts and continue operations. The malware performs environment awareness checks to determine whether it is running within containerized or orchestrated infrastructure, adjusting its behavior accordingly. Additional components are responsible for scanning large IP ranges to identify exposed Docker APIs, Ray dashboards, and other misconfigured services, enabling remote job execution or container deployment. Exploitation of vulnerable web frameworks allows attackers to extract sensitive environment variables, credentials, and configuration secrets, which are subsequently exfiltrated. The campaign also integrates well-known third-party tools for command-and-control and cryptomining, blending custom automation with established malware frameworks. This hybrid approach allows rapid expansion with minimal development overhead while maintaining operational flexibility.
TeamPCP exemplifies a broader evolution in cybercrime toward cloud-native, infrastructure-centric attack models. Rather than deploying isolated malware samples, the campaign functions as a multi-purpose criminal platform capable of exploiting misconfigurations at scale and converting cloud resources into revenue-generating assets. Its success demonstrates how common security gaps — such as exposed management interfaces and insufficient access controls — can be systematically weaponized through automation. The campaign’s reliance on known vulnerabilities and widely available tools reinforces that advanced exploitation techniques are not always necessary when defensive hygiene is weak. For defenders, this activity highlights the limitations of traditional endpoint-focused security approaches in cloud environments. Effective mitigation requires securing control planes, restricting API exposure, enforcing strong authentication, and continuously monitoring for anomalous workload behavior. As cloud adoption continues to accelerate, campaigns like TeamPCP illustrate how threat actors can rapidly adapt to exploit the same scalability and flexibility that organizations depend on.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1059.004 | Command and Scripting Interpreter | Unix Shell |
| T1059.006 | Command and Scripting Interpreter | Python | |
| T1106 | Native API | — | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| T1525 | Implant Internal Image | — | |
| Privileged Escalation | T1068 | Exploitation for Privilege Escalation | — |
| Defence Evasion | T1070.004 | Indicator Removal | File Deletion |
| T1140 | Deobfuscate/Decode Files or Information | — | |
| Credential access | T1552.001 | Unsecured Credentials | Credentials in Files |
| T1552.004 | Unsecured Credentials | Private Keys | |
| Discovery | T1082 | System Information Discovery | — |
| T1613 | Container and Resource Discovery | — | |
| Lateral Movement | T1021.004 | Remote Services | SSH |
| T1570 | Lateral Tool Transfer | — | |
| Collection | T1005 | Data from Local System | — |
| Command and control | T1095 | Non-Application Layer Protocol | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1486 | Data Encrypted for Impact | — |
| T1496 | Resource Hijacking | — | |
| T1489 | Service Stop | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Impact | B0018 | Resource Hijacking |
| E1486 | Data Encrypted for Impact | |
| Execution | E1203 | Exploitation for Client Execution |
| Collection | E1560 | Archive Collected Data |
| Command and Control | B0030 | C2 Communication |
| Persistence | F0011 | Modify Existing Service |
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2026/02/teampcp-worm-exploits-cloud.html
https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomware