TeamPCP Exploits Cloud Misconfigurations in Large-Scale Cybercrime Operation A threat actor known as TeamPCP (also operating under aliases like PCPcat and ShellForce) is conducting automated, worm-like attacks on misconfigured and exposed cloud management services, compromising at least 60,000 servers worldwide since late December. The group’s campaign primarily targets Azure (60% of attacks), AWS (37%), and Google and Oracle cloud environments, exploiting well-documented vulnerabilities and misconfigurations rather than developing new attack methods. TeamPCP’s operations involve scanning for exposed Docker APIs, Kubernetes clusters, Ray dashboards, and systems with leaked secrets (such as `.env` files). Once inside, the group deploys malicious Python and Shell scripts to install proxies, tunneling software, and persistence mechanisms, effectively converting compromised infrastructure into a self-propagating botnet. A key tool in their arsenal is the React2Shell vulnerability (CVE-2025-29927), which allows remote command execution and data exfiltration. The group monetizes its attacks through multiple revenue streams, including: - Cryptocurrency mining using hijacked compute resources. - Data theft and extortion, with stolen records including personal IDs, employment records, and résumés published on a leak site operated by an affiliate, ShellForce. - Selling access to compromised systems for use as proxies or command-and-control infrastructure. - Ransomware deployment, leveraging infected systems as launchpads for further attacks. Notably, TeamPCP has targeted JobsGO, a Vietnamese recruitment platform, exfiltrating over two million records containing sensitive personal and professional data. Most victims are located in South Korea, Canada, the U.S., Serbia, and the UAE, with stolen information often used for phishing, impersonation, or account takeovers. Despite its sophistication, TeamPCP’s techniques are not novel the group relies on automated exploitation of known vulnerabilities and recycled tooling. Security firm Flare warns that the threat actor’s strength lies in its large-scale automation, turning exposed cloud infrastructure into a distributed criminal ecosystem. The group also maintains a Telegram channel (launched in November, with ~700 members) for updates and reputation-building, though researchers suggest it may have operated under previous aliases. The campaign underscores the risks of unsecured cloud control planes, leaked credentials, and poor access controls, as TeamPCP continues to industrialize existing attack vectors with alarming efficiency.

In April 2025, researchers uncovered a critical path traversal vulnerability (CVE-2025-34028) in Commvault Command Center Innovation Release (versions 11.38.0 to 11.38.19). This flaw allows unauthenticated attackers to trigger a server-side request forgery that fetches and unpacks a malicious ZIP archive from a remote host. Once extracted, the payload installs a reverse shell, granting full remote code execution privileges on the backup management server. Successful exploitation can lead to unauthorized access to backup data, tampering or deletion of critical recovery sets, or the deployment of additional malware across protected endpoints. Organizations relying on these on-premise systems risk severe operational disruption due to compromised backup integrity and potential data loss. Threat actors could exfiltrate sensitive corporate and customer information stored in backups, undermine disaster recovery processes, and stage lateral movements to other internal assets. Unpatched instances may also serve as a foothold for persistent intrusion, ultimately eroding trust in data protection mechanisms, causing financial and reputational damage, and delaying incident response during recovery efforts. Though a patch is available in versions 11.38.20 and later, failure to update exposes enterprises to significant security and compliance risks.

Commvault faced a critical Webserver vulnerability (CV_2025_03_1) affecting versions 11.20 through 11.36, posing substantial risks to data protection and system integrity. If exploited, this vulnerability could have allowed attackers to execute webshells, gaining unauthorized system control. Commvault quickly released patches for Linux and Windows platforms, mitigating the risk. Organizations using affected versions were urged to update immediately to prevent potential data breaches, unauthorized access, and operational disruptions, highlighting the importance of maintaining strict cybersecurity practices and regular software updates.