TeamPCP Launches Large-Scale Cloud-Native Cybercrime Campaign Cybersecurity researchers have uncovered a worm-driven campaign orchestrated by the threat group TeamPCP (also known as DeadCatx3, PCPcat, PersyPCP, and ShellForce), which has systematically targeted cloud-native environments to establish malicious infrastructure for follow-on exploitation. The operation, active since at least November 2025, was first observed around December 25, 2025, and leverages exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0). TeamPCP operates as a cloud-native cybercrime platform, exploiting misconfigurations and known vulnerabilities to breach modern cloud infrastructure. The group’s activities were first documented in December 2025 under Operation PCPcat, with its Telegram channel active since July 30, 2025 now hosting over 700 members and publishing stolen data from victims in Canada, Serbia, South Korea, the U.A.E., and the U.S. The campaign’s objectives include building a distributed proxy and scanning infrastructure, compromising servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. Rather than employing novel techniques, TeamPCP relies on automated, industrialized exploitation of well-known vulnerabilities and misconfigurations, transforming compromised infrastructure into a self-propagating criminal ecosystem. Key components of the attack include: - proxy.sh: Installs proxy, P2P, and tunneling utilities, along with scanners to identify vulnerable servers. It performs environment fingerprinting, branching into Kubernetes-specific execution paths if detected. - scanner.py: Scans for misconfigured Docker APIs and Ray dashboards using CIDR lists from a GitHub account (DeadCatx3), with options to deploy a cryptocurrency miner (mine.sh). - kube.py: Harvests Kubernetes cluster credentials, discovers resources, and propagates proxy.sh across pods while establishing persistent backdoors via privileged pods. - react.py: Exploits CVE-2025-29927 in React applications for remote command execution. - pcpcat.py: Automates the discovery of exposed Docker APIs and Ray dashboards, deploying malicious containers with Base64-encoded payloads. The campaign’s command-and-control (C2) server (67.217.57[.]240) has been linked to Sliver, an open-source C2 framework frequently abused by threat actors. Targets are primarily AWS and Microsoft Azure environments, with attacks being opportunistic rather than industry-specific, making organizations running such infrastructure collateral victims. TeamPCP’s hybrid monetization model combines infrastructure exploitation, data theft, and extortion, with stolen data including CV databases, identity records, and corporate files published via ShellForce to fuel ransomware, fraud, and cybercrime reputation-building. The group’s reliance on modified open-source tools and known vulnerabilities underscores its focus on scale and operational integration rather than technical innovation.

The Maryland Office of the Attorney General reported that Dawson James Securities, Inc. experienced unauthorized access to its network between June 29, 2023, and June 30, 2023. The incident potentially affected personal information, including names, but the specific number of individuals impacted is not provided. The company has implemented security measures and is offering complimentary credit monitoring and identity protection services.

The Pennsylvania Attorney General's Office reported a data breach involving Dawson James Securities, Inc. on March 1, 2021. The breach, which occurred on January 22, 2021, involved a missing computer that potentially exposed names, addresses, and social security numbers of individuals, affecting 558 Rhode Island residents.