Full Report
TeamPCP’s operations center on abusing unauthenticated or weakly protected orchestration and management interfaces rather than exploiting traditional endpoints. Initial access is achieved via exposed Docker and Kubernetes APIs, vulnerable React/Next.js applications (CVE-2025-2...
Analysis Summary
# Threat Actor: TeamPCP
## Attribution & Identity
**Actor Identification:** TeamPCP (Described as a "Campaign" or set of operations).
**Known Aliases and Associated Groups:** None explicitly mentioned in the context, though the operation is highly focused on cloud-native environments.
## Activity Summary
TeamPCP's operations are centered on exploiting misconfigured or unauthenticated orchestration and management interfaces in cloud-native environments. Initial access is gained through exposed Docker and Kubernetes APIs, vulnerable React/Next.js applications (specifically referencing CVE-2025-29927), and exposed Redis services. The primary impact observed is **Resource Hijacking**, potentially leading to specialized RansomOp activity. The ultimate goal appears to be establishing persistent, broad control over compromised clusters.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploiting exposed Docker APIs, exposed Kubernetes APIs, vulnerable React/Next.js applications (CVE-2025-29927), and vulnerable Redis instances.
- **Execution & Persistence:** Deploying standardized containers/jobs to fetch and execute a central bootstrap script (`proxy.sh`). This script registers persistent system services.
- **Defense Evasion/Persistence (Kubernetes Specific):** Deploying a privileged DaemonSet that mounts the host filesystem to ensure cluster-wide persistence and resource control.
- **Lateral Movement/Discovery:** Deploying high-volume scanners (`pcpcat.py`, `scanner.py`) to discover further exposed infrastructure. Using the dedicated payload (`kube.py`) to enumerate cluster resources and propagate to all pods via API-based command execution.
- **Data Theft:** Automated exploitation of React2Shell vulnerabilities (`react.py`) for data exfiltration.
- **Resource Abuse:** Deployment of cryptomining components utilizing XMRig via obfuscated, multi-stage payloads.
- **Command and Control (C2):** Use of the Sliver C2 framework for interactive access.
## Targeting
- **Sectors:** Cloud-Native Infrastructure (Targeting systems utilizing Kubernetes, Docker, Jenkins, and Ray AI).
- **Geography:** Not specified in the context.
- **Victims:** Organizations running exposed orchestration/management interfaces, vulnerable container environments, and specific vulnerable web frameworks.
## Tools & Infrastructure
- **Malware families used:** Sliver C2 framework.
- **Observed Tools:** FRPS, gost (likely for tunneling/proxying), XMRig (cryptominer).
- **Custom Scripts:** `proxy.sh` (bootstrap script), `kube.py` (Kubernetes enumeration/propagation), `pcpcat.py`, `scanner.py`, `react.py`.
- **Infrastructure (C2, domains, IPs):** None explicitly listed or defanged in the context.
## Implications
TeamPCP represents a significant threat focused squarely on the modern cloud attack surface (Control Planes). Their methods bypass traditional security controls by targeting weak configurations surrounding orchestration tools. Successful compromise leads quickly to full cluster takeover, cryptomining, and potential use as launchpads for further activities.
## Mitigations
- Eliminate exposure of critical management interfaces (Docker API, Kubernetes API).
- Patch or upgrade vulnerable React/Next.js installations promptly (specifically addressing CVE-2025-29927).
- Secure Redis installations; ensure configurations do not allow unauthenticated access.
- Implement robust least privilege controls within Kubernetes; prevent the deployment of privileged containers and restrict host filesystem mounting capabilities where possible.
- Monitor for the deployment of unauthorized system services or containerized reverse shells/proxies (e.g., FRPS, gost).