A massive worm-driven campaign is targeting cloud-native environments to build malicious infrastructure for large-scale follow-on attacks.
The activity, first observed around December 25, 2025, exploits exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, as well as the critical React2Shell vulnerability (CVE-2025-55182). The campaign has been attributed to the TeamPCP threat cluster, also tracked as DeadCatx3, PCPcat, PersyPCP, and ShellForce. Flare researchers say the group has been active since at least November 2025, with earlier Telegram activity dating back to July.
TeamPCP operates as a cloud-native cybercrime platform focused on building distributed proxy and scanning infrastructure at scale. The goal is to compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency. The group mainly abuses misconfigured cloud services and vulnerable React/Next.js applications to breach infrastructure.
“TeamPCP predominantly targets cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers,” the report says.
Once compromised, systems are repurposed for activities ranging from cryptomining and data hosting to proxy services and command-and-control (C&C) relays.
“TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques. The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem,” the report noted.