"The activity, observed around December 25, 2025, and described as "worm-driven," leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, along with the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability. TeamPCP is known to be active since at least November 2025, with the first instance of Telegram activity dating back to July 30, 2025."
""The operation's goals were to build a distributed proxy and scanning infrastructure at scale, then compromise servers to exfiltrate data, deploy ransomware, conduct extortion, and mine cryptocurrency," Flare security researcher Assaf Morag said in a report published last week. TeamPCP is said to function as a cloud-native cybercrime platform, leveraging misconfigured Docker APIs, Kubernetes APIs, Ray dashboards, Redis servers, and vulnerable React/Next.js applications as main infection pathways to breach modern cloud infrastructure to facilitate data theft and extortion."
TeamPCP conducted a worm-driven campaign around December 25, 2025 that exploited exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability (CVE-2025-55182) to compromise cloud-native environments. The group built distributed proxy and scanning infrastructure to enable follow-on exploitation, including data exfiltration, ransomware deployment, extortion, cryptocurrency mining, proxying, and command-and-control relays. Compromised servers were repurposed for hosting stolen data and advertising via a Telegram channel with over 700 members. The operation relied on known tools, vulnerabilities, and misconfigurations rather than novel tradecraft.
#teampcp #cloud-native-exploitation #react2shell-cve-2025-55182 #dockerkubernetes-misconfiguration #ransomware-and-cryptomining
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]