Cloud Worms Unleashed: How TeamPCP Turned Corporate Infrastructure Into a Criminal Supercomputer

On Christmas Day 2025, thousands of companies unknowingly became part of the underworld’s latest innovation: TeamPCP’s cloud-native worm. Unlike old-school cryptominers that simply steal computing power, TeamPCP’s operation repurposes entire cloud environments, morphing legitimate infrastructure into a sprawling, automated criminal platform. The scale and sophistication of this attack have left even seasoned security pros reeling - and exposed a dangerous gap in how we secure the cloud.

The Anatomy of a Cloud-Native Crimewave

TeamPCP - also known as DeadCatx3, PCPcat, PersyPCP, and ShellForce - emerged as a force in late 2025, rapidly industrializing cloud attacks. Instead of relying on novel exploits, TeamPCP automates and scales well-known techniques, scanning for five main entry points: exposed Docker and Kubernetes APIs, unsecured Ray dashboards, open Redis servers, and two devastating React/Next.js vulnerabilities (CVE-2025-55182 “React2Shell” and CVE-2025-29927).

Once inside, the worm unleashes proxy.sh, a script that establishes encrypted tunnels to command servers, scans for new victims, and ensures persistence. If it detects a Kubernetes environment, it deploys kube.py, which propagates the infection cluster-wide, turning the entire environment into a distributed botnet. Each compromised server is then weaponized - mining Monero, exfiltrating sensitive data, anonymizing criminal traffic, and launching ransomware attacks.

TeamPCP’s real innovation isn’t in hacking; it’s in treating your infrastructure like their own cloud platform. Their approach mimics DevOps best practices - automation, scalability, and resilience - but for cybercrime. The worm can spread exponentially, with each new victim scanning and infecting thousands more in a relentless cycle.

Why It Matters: The Dark Side of Cloud Automation

Most breaches didn’t occur because of sophisticated zero-days, but because of basic misconfigurations - APIs left open, default credentials, secrets stashed in plain text. TeamPCP’s success highlights how the rush to deploy cloud services often leaves security as an afterthought. Organizations pay the price not only in stolen data but also in reputational and legal risk: compromised servers are used to attack others, making victims unwitting accomplices under strict regulations.

Detection is tough. TeamPCP’s activity blends seamlessly with legitimate cloud traffic, leveraging native APIs and tools. But there are telltale signs: unauthorized container creation, suspicious systemd services, outbound connections to known command servers, and cryptomining spikes. Proactive defense means reducing exposure - locking down APIs, enforcing least-privilege controls, patching fast, and monitoring for abnormal activity with specialized runtime tools.

The Takeaway

TeamPCP isn’t an exception - it’s a warning. As cloud-native attacks become more automated and democratized, every exposed API or forgotten credential is a potential breach point. The lesson is stark: cloud security isn’t optional or the provider’s problem; it’s a core competency. Ignore it, and your infrastructure could be conscripted into the next great criminal supercomputer - without you ever knowing.

WIKICROOK

• Kubernetes: Kubernetes is open-source software that automates deploying, scaling, and managing applications, making it easier for companies to run systems reliably.
• DaemonSet: A DaemonSet in Kubernetes ensures a pod runs on every node. It’s useful for system services but can be abused by attackers for persistence.
• Cryptomining: Cryptomining uses computer power to solve puzzles and earn digital currencies, sometimes exploiting devices without the owner’s knowledge or consent.
• Command and Control (C2): Command and Control (C2) is the system hackers use to remotely control infected devices and coordinate malicious cyberattacks.
• Misconfiguration: Misconfiguration is a setup error in systems or software that leaves them vulnerable to cyberattacks, like accidentally leaving a door unlocked.