Full Report
Cybersecurity researchers have called attention to a "massive campaign" that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation. The activity, observed around December 25, 2025, and described as "worm-driven," leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed
Analysis Summary
# Tool/Technique: TeamPCP Worm Infrastructure
## Overview
The TeamPCP worm describes a coordinated, worm-driven campaign targeting cloud-native environments (Docker, Kubernetes, Ray, Redis) to rapidly set up malicious infrastructure for subsequent exploitation, data exfiltration, ransomware deployment, and cryptocurrency mining.
## Technical Details
- Type: Malware/Attack Framework (Worm-driven campaign)
- Platform: Cloud Native Environments (Linux-based systems within Docker/Kubernetes)
- Capabilities: Automated exploitation, self-propagation, cryptomining, proxy/C2 infrastructure building, environment fingerprinting.
- First Seen: Activity observed around December 25, 2025; Group known since at least November 2025 (initial Telegram activity in July 2025).
## MITRE ATT&CK Mapping
This campaign leverages multiple techniques across different stages:
- **Initial Access**
- T1190 - Exploit Public-Facing Application
- T1190.002 - Exploit Containerization Mechanism (Leveraging exposed APIs/misconfigurations)
- **Execution & Persistence**
- T1059 - Command and Scripting Interpreter
- T1059.004 - Unix Shell
- T1059.006 - Python
- T1105 - Ingress Tool Transfer (Downloading next-stage payloads)
- **Lateral Movement**
- T1570 - Lateral Movement (Leveraging cluster scanning and deployment across connected infrastructure)
- **Defense Evasion**
- T1027 - Obfuscated Files or Information (Base64 encoding in `pcpcat.py`)
- **Collection**
- T1530 - Data from Local System (Credential harvesting in Kubernetes)
- T1005 - Data from Network Shared Drive (Implied via exploitation paths)
- **Command and Control**
- T1071 - Application Layer Protocol (Using standard protocols for C2 relay placement)
## Functionality
### Core Capabilities
* **Infection Vector Exploitation:** Exploits misconfigurations in exposed Docker APIs, Kubernetes APIs, Ray dashboards, and Redis servers.
* **Vulnerability Exploitation:** Leverages the recently disclosed React2Shell vulnerability (CVE-2025-55182) for initial remote command execution (via `react.py`).
* **Self-Propagation (Worm Functionality):** Scripts actively scan the internet for new targets using CIDR lists downloaded from GitHub.
* **Container/Job Deployment:** Automatically deploys malicious containers or Kubernetes jobs to execute payloads (`pcpcat.py`).
### Advanced Features
* **Cloud-Native Awareness:** Utilizes `proxy.sh` which performs runtime **environment fingerprinting** and executes separate, cluster-specific payload paths if a Kubernetes environment is detected.
* **Infrastructure Building:** Deploys `proxy.sh` to install proxy, P2P, and tunneling utilities to build a distributed scanning and proxy infrastructure.
* **Kubernetes Specific Tradecraft:** `kube.py` focuses on harvesting cluster credentials, discovering resources, and deploying a **privileged pod on every node** that mounts the host file system to establish a persistent backdoor.
* **C2 Linkage:** Associated C2 infrastructure has been linked to the use of the Sliver C2 framework.
## Indicators of Compromise
*Note: Specific hashes/file names are limited by the provided text, but general indicators are listed.*
- File Hashes: Not explicitly provided.
- File Names: `proxy.sh`, `scanner.py`, `mine.sh`, `kube.py`, `react.py`, `pcpcat.py`.
- Registry Keys: Not applicable (Linux/Cloud environment focus).
- Network Indicators: C2 Server Node: `67.217.57[.]240` (Defanged: `67[.]217[.]57[.]240`).
- Behavioral Indicators: Environment checks for Kubernetes indicators; automated deployment of privileged pods mounting host paths; downloading CIDR lists from the `DeadCatx3` GitHub organization.
## Associated Threat Actors
* **TeamPCP** (Also known as DeadCatx3, PCPcat, PersyPCP, ShellForce).
* Linked to activity documented as **Operation PCPcat**.
## Detection Methods
- Signature-based detection: Signatures could be developed for the Python scripts (`*.py`) or the `proxy.sh` binary if static content is available.
- Behavioral detection: Monitoring for execution of shell scripts that check for Kubernetes process/environment markers; detecting the deployment of privileged containers/pods mounting the host filesystem (`/dev` or `/` mount points); detection of connections to known C2 infrastructure.
- YARA rules if available: (Not provided in the text).
## Mitigation Strategies
* **API Exposure Lockdown:** Restrict public access to Docker APIs, Kubernetes APIs, and Ray dashboards. Implement robust access control layers (e.g., API Gateways, Authentication/Authorization).
* **Vulnerability Patching:** Immediately patch or mitigate systems vulnerable to CVE-2025-55182 (React2Shell).
* **Container Hardening:** Implement strong Pod Security Standards (PSS) or Pod Security Policies (PSPs) to prevent the deployment of privileged containers or containers mounting host file systems.
* **Network Segmentation:** Isolate management/control plane components from general application workloads.
* **Secret Management:** Ensure Kubernetes cluster credentials are not easily discoverable or harvested.
## Related Tools/Techniques
* **CVE-2025-55182 (React2Shell):** The zero-day vulnerability used as a primary exploitation path.
* **Sliver C2:** The C2 framework potentially used by the attacker infrastructure.
* **Cryptocurrency Miners:** Deployment of `mine.sh` indicates standard cryptomining payloads are part of the toolkit.