CYBERSECURITY researchers have flagged a “massive campaign” that targeted cloud native environments to build a criminal infrastructure for follow-on exploitation, observed around 25 December 2025. The operation leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards and Redis servers, and exploited the React2Shell vulnerability (CVE-2025-55182, CVSS 10.0).
The campaign has been attributed to a threat cluster known as TeamPCP (aka DeadCatx3, PCPcat, PersyPCP and ShellForce), which has been active since at least November 2025. Flare notes the group aims to build a distributed proxy and scanning infrastructure at scale to exfiltrate data, deploy ransomware, conduct extortion and mine cryptocurrency, with proxy[.]sh dropping various payloads to expand into new targets.
The operators use cloud-native infection paths to breach AWS and Azure environments, turning compromised infrastructure into a self-propagating criminal ecosystem; one core component is a C2 relationship to Sliver via an IP address, used alongside multiple scripts such as scanner[.]py, kube[.]py, react[.]py and pcpcat[.]py.