TeamPCP Gains Ground in Cloud-Native and Ransomware Campaigns

SOC Prime Team

TeamPCP Gains Ground in Cloud-Native and Ransomware Campaigns

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

TeamPCP is an emerging cloud-native cybercrime operation that targets exposed Docker, Kubernetes, Ray, Redis, and React2Shell-vulnerable services to gain initial access to cloud environments. Once inside, the group uses compromised workloads to build a distributed infrastructure for proxying, scanning, and cryptomining, while also enabling data theft, extortion, and ransomware deployment. The operation combines open-source tooling with custom automation scripts that help spread activity across clustered environments. Active since late 2025, the campaign has already impacted tens of thousands of cloud servers.

Investigation

Researchers mapped the full intrusion chain, beginning with exploitation of misconfigured or exposed APIs and continuing through the deployment of persistent systemd services, Kubernetes DaemonSets, and third-party tunneling utilities. Key artifacts recovered from affected systems and linked GitHub repositories included proxy.sh, kube.py, react.py, and components associated with the Sliver C2 framework. The investigation also confirmed abuse of the React2Shell CVE-2025-29927 vulnerability and uncovered extensive scripts designed to harvest credentials from compromised environments.

Mitigation

Organizations should harden cloud control planes, eliminate unauthenticated access to orchestration interfaces, and enforce least-privilege identity policies across workloads and services. Security teams should continuously scan for exposed Docker and Kubernetes endpoints, monitor runtime behavior for privileged or suspicious containers, and block outbound traffic to known tunneling utilities where possible. Strong secret management practices and regular container image hygiene can further reduce the risk of credential exposure and lateral movement.

Response

When TeamPCP activity is detected, defenders should isolate the affected subnet, shut down unauthorized containers and DaemonSets, and terminate any related systemd services. All cloud credentials should be rotated immediately, and malicious scripts or binaries should be removed from impacted hosts. Recovery should include rebuilding nodes from clean images and conducting a full audit of cluster-wide API permissions to ensure no persistence or privilege abuse remains.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef script fill:#ccffcc classDef malware fill:#ff9999 classDef persistence fill:#ccccff classDef c2 fill:#ffccff %% Nodes tech_initial_access["Action – T1190 Exploit Public-Facing Application Attacker exploits exposed Docker, Kubernetes, Ray, Redis APIs and React2Shell (CVEu20112025u201129927) to gain foothold."] class tech_initial_access action tool_react_py["Tool – Name: react.py Description: script leveraging React2Shell vulnerability to execute code on server."] class tool_react_py tool tech_execution["Action – T1059 Command and Scripting Interpreter Download and run proxy.sh via /bin/sh, curl, python3."] class tech_execution action script_proxy_sh["Script – Name: proxy.sh Purpose: sets up tunneling binaries and runs them."] class script_proxy_sh script tool_frps["Tool – Name: frps Function: reverse proxy server for tunneling."] class tool_frps tool tool_gost["Tool – Name: gost Function: multiu2011protocol proxy used for tunneling."] class tool_gost tool tech_defense_proxy["Action – T1216 System Script Proxy Execution proxy.sh installs FRPS and GOST tunneling binaries."] class tech_defense_proxy action script_kube_py["Script – Name: kube.py Function: queries Kubernetes API for pods, namespaces and secrets."] class script_kube_py script tech_discovery["Action – T1613 Container and Resource Discovery Enumerates containers, pods, namespaces and secret objects."] class tech_discovery action tech_cred_access["Action – T1552.001 Credentials In Files Harvests .env files, SSH keys and cloud provider tokens."] class tech_cred_access action tech_lateral["Action – T1609 Container Administration Command Uses kubectl exec to move laterally between pods and deploy proxy.sh."] class tech_lateral action tool_kubectl["Tool – Name: kubectl Description: commandu2011line client for managing Kubernetes clusters."] class tool_kubectl tool tech_persistence_ds["Action – T1543.005 Create or Modify System Process: Container Service Deploys privileged DaemonSet named systemu2011monitor."] class tech_persistence_ds action obj_daemonset["Object – Name: systemu2011monitor DaemonSet Role: maintains malicious containers on each node."] class obj_daemonset persistence tech_persistence_job["Action – T1053.007 Scheduled Task/Job: Container Orchestration Job Installs cron/systemd job to restart scanner continuously."] class tech_persistence_job action obj_systemd["Object – Name: teampcpu2011react.service Type: systemd service providing persistence."] class obj_systemd persistence tech_defense_enc["Action – T1027.013 Encrypted/Encoded File Base64u2011encoded XMRig miner stored in mine.sh."] class tech_defense_enc action script_mine_sh["Script – Name: mine.sh Content: base64u2011encoded XMRig miner payload."] class script_mine_sh script malware_xmrig["Malware – Name: XMRig Purpose: cryptocurrency mining on compromised hosts."] class malware_xmrig malware tech_impact["Action – T1496.001 Resource Hijacking: Compute Hijacking XMRig consumes CPU cycles for illicit mining."] class tech_impact action tech_c2_proxy["Action – T1090 Proxy FRPS and GOST act as proxy tunnels for commandu2011andu2011control traffic."] class tech_c2_proxy action tool_sliver["Tool – Name: Sliver Purpose: framework that provides encrypted C2 channels."] class tool_sliver tool tech_c2_obfusc["Action – T1001 Data Obfuscation Encrypted channel hides C2 communications from detection."] class tech_c2_obfusc action tech_exfil["Action – T1041 Exfiltration Over C2 Channel Harvested credentials and data are sent to attacker API via the C2 tunnel."] class tech_exfil action tech_cleanup["Action – Cleanup Delete artifacts, hide backdoors and remove logs to evade detection."] class tech_cleanup action %% Connections tech_initial_access –>|uses| tool_react_py tech_initial_access –>|leads_to| tech_execution tech_execution –>|executes| script_proxy_sh script_proxy_sh –>|installs| tool_frps script_proxy_sh –>|installs| tool_gost script_proxy_sh –>|downloads| script_mine_sh script_proxy_sh –>|runs| script_kube_py script_kube_py –>|performs| tech_discovery tech_discovery –>|provides data for| tech_cred_access tech_cred_access –>|enables| tech_lateral tech_lateral –>|uses| tool_kubectl tool_kubectl –>|executes| script_proxy_sh tech_lateral –>|leads_to| tech_persistence_ds tech_persistence_ds –>|creates| obj_daemonset tech_persistence_ds –>|creates| obj_systemd tech_persistence_ds –>|triggers| tech_persistence_job tech_persistence_job –>|ensures| obj_systemd tech_defense_enc –>|encodes| script_mine_sh script_mine_sh –>|contains| malware_xmrig malware_xmrig –>|performs| tech_impact tech_defense_proxy –>|uses| tool_frps tech_defense_proxy –>|uses| tool_gost tech_c2_proxy –>|leverages| tool_frps tech_c2_proxy –>|leverages| tool_gost tech_c2_proxy –>|uses| tool_sliver tool_sliver –>|provides| tech_c2_obfusc tech_c2_obfusc –>|protects| malware_xmrig tech_impact –>|sends results via| tech_exfil tech_exfil –>|uses| tech_c2_proxy tech_exfil –>|uses| tool_sliver tech_exfil –>|uses| tool_gost tech_cleanup –>|removes| tech_initial_access tech_cleanup –>|removes| tech_persistence_ds tech_cleanup –>|removes| tech_exfil "

Attack Flow

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free