A "massive campaign" that has methodically targeted cloud native environments to install malicious infrastructure for subsequent exploitation has drawn attention from cybersecurity researchers This article explores servers threat cluster. . Around December 25, 2025, the activity was noticed and was characterized as "worm-driven."

It took advantage of the recently revealed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability as well as exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. A threat cluster called TeamPCP (also known as DeadCatx3, PCPcat, PersyPCP, and ShellForce) has been implicated in the campaign. The earliest recorded Telegram activity dates back to July 30, 2025, and TeamPCP has been operational since at least November 2025.

With more than 700 members, the TeamPCP Telegram channel shares stolen data from a variety of victims in Canada, Serbia, South Korea, the United Arab Emirates, and the United States. According to data from the cybersecurity firm, threat actors primarily target Microsoft Azure and Amazon Web Services (AWS) environments. Instead of focusing on particular industries, the attacks are thought to be opportunistic in nature, mainly targeting infrastructure that serves its objectives.

Organizations that manage this kind of infrastructure end up becoming "collateral victims" as a result. According to Morag, "the PCPcat campaign demonstrates a full lifecycle of scanning, exploitation, persistence, tunneling, data theft, and monetization built specifically for modern cloud infrastructure." "TeamPCP's operational integration and scale, rather than their technical innovation, are what make them dangerous.