Cloud Infrastructure Becomes Crime Bots with TeamPCP

A threat actor is methodically focusing on exposed and improperly configured cloud management services and control interfaces in order to take over infrastructure, grow its business, and make money off of compromised systems in a variety of ways This article explores cloud native cybercrime. . Through a worm-like attack, the campaign seems to have begun in late December and has already compromised at least 60,000 servers globally.

Each compromised system searches for and infects the next susceptible target. The operation, known as TeamPCP and operating under multiple aliases, including PCPcat and ShellForce, is a concerning development in cloud-native cybercrime, according to a report released this week by cybersecurity firm Flare.

In a recent blog post, Flare researcher Assaf Morag stated that "TeamPCP's strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques." In order to create a cloud-native exploitation platform that transforms exposed infrastructure into a self-propagating criminal ecosystem, the group industrializes pre-existing vulnerabilities, misconfigurations, and recycled tooling.Related: 'Encrypt It Already' Campaign Encourages Big Tech to Give E2E Encryption Priority ## The Large-Scale Automation of TeamPCP Scanning large IP ranges for exposed Docker APIs, Kubernetes clusters, Redis servers, Ray dashboards, and systems with the frequently exploited React2Shell vulnerability in React Server Components is part of the threat actor's playbook. Instead, it is more akin to what an adversary might find helpful in an account takeover, phishing, or impersonation attack.

South Korea, Canada, the United States, Serbia, and the United Arab Emirates are home to the majority of its campaign victims. ## A Dangerous Threat to Cloud Environments The threat actor has been using TeamTCP's 700-member Telegram channel, which seems to have started in November, to share updates about its activities and to enhance its reputation. But according to Morag, the group has made statements about "rebranding" its activities that raise the possibility that it was already using a different alias.

According to Morag, the most worrisome thing about TeamPCP is how unremarkable its methods are.

Cloud Infrastructure Becomes Crime Bots with TeamPCP

Cloud Infrastructure Becomes Crime Bots with TeamPCP

Trending News

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

North Korean Hackers Compromise Popular Axios Package to Infect Windows, macOS, and Linux

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Hackers Weaponize Claude Code Leak to Spread Vidar and GhostSocks Malware

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

Anthropic Officially Terminates Claude Subscriptions Used by Tools Like OpenClaw

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

36 bad npm packages used Redis and PostgreSQL to install permanent implants.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

Six months of social engineering by the DPRK led to the $285 million Drift Hack.

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Top 10 Best VPN For Chrome in 2026

Top 10 Best VPN For Chrome in 2026

Top 10 Best User Access Management Tools in 2026

Top 10 Best User Access Management Tools in 2026