TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources СLOUD SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES NEWS TeamPCP Turns Cloud Infrastructure into Crime Bots The threat actor has been compromising cloud environments at scale with automated worm-like attacks on exposed services and interfaces. Jai Vijayan, Contributing Writer February 9, 2026 4 Min Read SOURCE: KANAWATTH VIA SHUTTERSTOCK A threat actor is systematically targeting misconfigured and exposed cloud management services and control interfaces to hijack infrastructure, expand its operations, and monetize compromised systems in multiple ways. The campaign appears to have started in late December and has already compromised at least 60,000 servers worldwide via a worm-like attack where each infected system scans for and infects the next vulnerable target. According to an analysis published this week by cybersecurity firm Flare, the operation, tracked as TeamPCP and operating under several aliases including PCPcat and ShellForce, represents a troubling evolution in cloud-native cybercrime. "TeamPCP's strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques," Flare researcher Assaf Morag, wrote in a recent blog post. "The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem." Related:'Encrypt It Already' Campaign Pushes Big Tech to Prioritize E2E Encryption LOADING... TeamPCP's Large Scale Automation The threat actor's playbook involves scanning broad IP ranges for exposed Docker APIs, Kubernetes clusters, Redis servers, Ray dashboards, and systems containing the widely abused React2Shell vulnerability in React Server Components. Once it gains access to a system, TeamPCP deploys malicious Python and Shell scripts that pull down additional payloads to install proxies, tunneling software, and components that enable persistence even after server reboots. Flare observed the attackers using a dedicated script for Kubernetes (kube.py) environments to harvest credentials and to push malicious containers across all accessible pods using administrative level APIs. The approach, according to Morag, lets the threat actor turn an initial foothold into cluster-wide control. "This effectively converts the entire cluster into a self-propagating scanning fabric," Morag noted. The script for exploiting the infamous React2Shell vulnerability, tracked as CVE-2025-29927, allows the attackers to run remote commands on vulnerable applications and to siphon out sensitive data, environments and cloud credentials. More than 60% of the attacks that Flare analyzed involved cloud infrastructure hosted on Azure; 37% were AWS-hosted. TeamPCP has also been actively targeting servers in Google and Oracle cloud environments. Multiple Revenue Streams TeamPCP has been monetizing its attacks in multiple ways. Flare found the threat actor using compromised systems for cryptomining; selling them to other criminals for use as proxy access; leveraging them for additional scanning and exploitation; and using them to host command-and-control infrastructure for ransomware operations. Related:8-Minute Access: AI Accelerates Breach of AWS Environment The multipurpose approach ensures that TeamPCP has multiple revenue streams from each system it infects because "every compromised system becomes a scanner, a proxy, a miner, a data exfiltration node, and a launchpad for further attacks," Morag said. "Kubernetes clusters are not merely breached; they are converted into distributed botnets." Beyond monetizing stolen compute resources, Flare found TeamPCP also pursuing revenue through traditional data theft and extortion. In multiple intrusions, researchers at the company observed the group publishing stolen identity records, corporate data, and résumé databases through a data-leak site operated by an affiliated threat group, ShellForce. Samples of the stolen documents that Flare reviewed showed them to contain full names, national identification numbers, residential addresses, phone numbers, employment and business records, and detailed job application materials. One notable breach involved JobsGO, a recruitment platform in Vietnam, where TeamPCP exfiltrated more than two million records containing detailed personal and professional information on job candidates. Related:Attackers Harvest Dropbox Logins Via Fake PDF Lures For the most part, the stolen data is not as high value or as immediately monetizeable in underground markets as credit card data and bank login information, Morag pointed out. Rather, it is more of the kind that an adversary would find useful in a phishing attack, an impersonation attack or account takeover. Most of the victims of its campaigns are located in South Korea, Canada, United States, Serbia, and the United Arab Emirates. A Dangerous Threat to Cloud Environments TeamTCP's Telegram channel, which the threat actor has been using both for reputation boosting and for sharing updates about its activities, boasts about 700 members and appears to have launched in November. However, the group has made claims about "rebranding" its operations that hint it may have been operating under another alias even before, Morag said. What's perhaps most concerning about TeamPCP is how unremarkable its techniques really are, according to Morag. Far from writing its own malicious code, TeamPCP has mostly been using copied, lightly modified, and/or AI assisted code for its scanning and exploit activities. All of the vulnerabilities and cloud misconfigurations that the group has been exploiting are also well documented, meaning TeamPCP is not inventing new attack methods but simply industrializing old ones with remarkable effectiveness, Morag said. "As long as organizations continue to expose orchestration APIs, leak secrets in .env files, and deploy cloud services without strong security boundaries, actors like TeamPCP will continue to turn the world's computer fabric into their own criminal infrastructure," he noted. Defending against threats like TeamPCP requires organizations to pay attention to cloud security fundamentals, Flare said. That means securing cloud control planes with proper authentication, network segmentation, and least-privileged access policies. Organizations must also implement runtime security monitoring capable of detecting unexpected container deployments, unusual network connections, and behavioral anomalies that signal compromise, the security vendor said. About the Author Jai Vijayan, Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. More Insights Industry Reports The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps 2025 Threat Report Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like СLOUD SECURITY Critical Azure Entra ID Flaw Highlights Microsoft IAM Issues by Rob Wright SEP 19, 2025 СLOUD SECURITY Google Gemini Flaw Turns Calendar Invites Into Attack Vector by Elizabeth Montalbano, Contributing Writer JAN 20, 2026 СLOUD SECURITY Can Cybersecurity Weather the Current Economic Chaos? by Robert Lemos, Contributing Writer APR 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK Dark Patterns Undermine Security, One Click at a Time byArielle Waldman FEB 3, 2026 7 MIN READ CYBERATTACKS & DATA BREACHES Russian Hackers Weaponize Microsoft Office Bug in Just 3 Days byJai Vijayan, Contributing Writer FEB 3, 2026 4 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powered Cloud Security Posture Management WED, FEB 18,2026 AT 1:00PM EST More Webinars White Papers Why Removing Admin Rights Is the Key to Better Cyber Insurance Rates eBook Lock the Front Door: The Easiest Way to Reduce Your Attack Surface Understanding Least Privilege Toyota of Santa Maria Streamlines IT Operations with CyberFOX AutoElevate How the University of Tennesse secured 40