Cloud infrastructure has become the backbone of modern business—but it’s also becoming the backbone of cybercrime. Researchers recently uncovered a massive worm‑driven campaign by a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP, ShellForce). Their goal? To turn misconfigured cloud environments into a self‑propagating criminal ecosystem . How the Worm Works TeamPCP doesn’t rely on cutting‑edge exploits. Instead, it weaponizes misconfigurations and known vulnerabilities across cloud‑native environments: Exposed Docker APIs & Kubernetes clusters Ray dashboards & Redis servers React2Shell (CVE‑2025‑55182) with a CVSS score of 10.0 Once inside, the worm deploys payloads like: proxy.sh → Installs proxy, tunneling, and scanning utilities. scanner.py → Finds misconfigured Docker APIs and Ray dashboards. kube.py → Harvests Kubernetes credentials and drops persistent backdoors. react.py → Exploits React/Next.js flaws for remote command execution. pcpcat.py → Deploys malicious containers across large IP ranges. What Makes TeamPCP Dangerous Scale over novelty : They industrialize exploitation, automating scanning, persistence, and monetization. Cloud‑native focus : Distinct tooling for Kubernetes and modern cloud stacks. Hybrid monetization : Mining cryptocurrency, exfiltrating data, publishing leaks, and enabling ransomware/extortion. Community building : Their Telegram channel has 700+ members, fueling reputation and recruitment. Who’s at Risk? TeamPCP primarily targets AWS and Azure environments , but any exposed cloud service can become collateral damage. Victims span industries and geographies, including Canada, Serbia, South Korea, the UAE, and the U.S. Defensive Takeaways Audit cloud configurations : Lock down Docker, Kubernetes, Redis, and dashboards. Patch known CVEs : Especially React2Shell and other high‑severity flaws. Monitor for persistence : Look for privileged pods or unusual proxy/tunneling activity. Threat intelligence integration : Track IoCs linked to TeamPCP infrastructure (e.g., C2 nodes like 67.217.57[.]240). Final Thought TeamPCP shows that cloud misconfigurations are the new ransomware gateways . Their worm doesn’t just compromise servers—it builds a criminal infrastructure at scale, blending exploitation with monetization. For defenders, the lesson is clear: cloud security hygiene is non‑negotiable. TeamPCP worm