TeamPCP Exploits Cloud Misconfigurations in Large-Scale Cybercrime Operation A threat actor known as TeamPCP (also operating under aliases like PCPcat and ShellForce) is conducting automated, worm-like attacks on misconfigured and exposed cloud management services, compromising at least 60,000 servers worldwide since late December. The group’s campaign primarily targets Azure (60% of attacks), AWS (37%), and Google and Oracle cloud environments, exploiting well-documented vulnerabilities and misconfigurations rather than developing new attack methods. TeamPCP’s operations involve scanning for exposed Docker APIs, Kubernetes clusters, Ray dashboards, and systems with leaked secrets (such as `.env` files). Once inside, the group deploys malicious Python and Shell scripts to install proxies, tunneling software, and persistence mechanisms, effectively converting compromised infrastructure into a self-propagating botnet. A key tool in their arsenal is the React2Shell vulnerability (CVE-2025-29927), which allows remote command execution and data exfiltration. The group monetizes its attacks through multiple revenue streams, including: - Cryptocurrency mining using hijacked compute resources. - Data theft and extortion, with stolen records including personal IDs, employment records, and résumés published on a leak site operated by an affiliate, ShellForce. - Selling access to compromised systems for use as proxies or command-and-control infrastructure. - Ransomware deployment, leveraging infected systems as launchpads for further attacks. Notably, TeamPCP has targeted JobsGO, a Vietnamese recruitment platform, exfiltrating over two million records containing sensitive personal and professional data. Most victims are located in South Korea, Canada, the U.S., Serbia, and the UAE, with stolen information often used for phishing, impersonation, or account takeovers. Despite its sophistication, TeamPCP’s techniques are not novel the group relies on automated exploitation of known vulnerabilities and recycled tooling. Security firm Flare warns that the threat actor’s strength lies in its large-scale automation, turning exposed cloud infrastructure into a distributed criminal ecosystem. The group also maintains a Telegram channel (launched in November, with ~700 members) for updates and reputation-building, though researchers suggest it may have operated under previous aliases. The campaign underscores the risks of unsecured cloud control planes, leaked credentials, and poor access controls, as TeamPCP continues to industrialize existing attack vectors with alarming efficiency.

Record-Breaking DDoS Attack by Aisuru/Kimwolf Botnet Peaks at 31.4 Tbps On December 19, Cloudflare mitigated a historic distributed denial-of-service (DDoS) attack launched by the Aisuru (also known as Kimwolf) botnet, reaching an unprecedented 31.4 Tbps and 200 million requests per second (rps). The campaign, dubbed "The Night Before Christmas," targeted telecommunications providers, IT organizations, and Cloudflare’s own infrastructure with hyper-volumetric HTTP and Layer 4 DDoS attacks. This attack surpassed Aisuru’s previous record of 29.7 Tbps, set earlier, and another Microsoft-attributed assault peaking at 15.72 Tbps from 500,000 IP addresses. Over 90% of the attacks in the campaign peaked between 1-5 Tbps, with most lasting 1-2 minutes. Despite their scale, Cloudflare’s automated systems detected and mitigated them without triggering internal alerts. The botnet’s power stems from compromised IoT devices and routers, though the December attacks primarily originated from Android TVs. Cloudflare’s 2025 Q4 DDoS Threat Report revealed a 121% year-over-year increase in DDoS attacks, with 47.1 million incidents recorded in 2025 averaging 5,376 attacks per hour. Network-layer attacks dominated (73%), while HTTP-based assaults made up the remainder. The most targeted industries included telecommunications, IT services, gambling, and gaming, with China, Hong Kong, Germany, Brazil, and the U.S. bearing the brunt of attacks. Bangladesh was the largest source of attacks, followed by Ecuador, Indonesia, and Argentina, while Russia dropped to 10th place. The report also noted a 600% increase in network-layer attacks exceeding 100 million packets per second (Mpps) and a 65% quarter-over-quarter rise in attacks over 1 Tbps. Over 71.5% of HTTP DDoS attacks were linked to known botnets.

The cyberattack on Oracle Cloud orchestrated by 'rose87168' led to the theft of 6 million records potentially affecting over 140,000 tenants. Exfiltrated data includes sensitive JKS files, encrypted SSO passwords, key files, and JPS keys. This information is now sold on dark web forums. The breach, exploiting CVE-2021-35587, poses risks of unauthorized access and corporate espionage given the type of data stolen. Oracle's compromised subdomain and vulnerable software version highlight security gaps and raise concerns of lateral movement within the cloud environment.