TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
Summary
A worm-driven campaign dubbed TeamPCP has been observed targeting cloud-native environments since late December 2025. The attackers exploit exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to build malicious infrastructure for further attacks.
IFF Assessment
FOE
The campaign actively exploits vulnerable cloud infrastructure, posing a direct threat to defenders.
Severity
9.8
Critical
(AI Estimated)
Defender Context
This campaign highlights the importance of proper configuration and security measures for cloud-native environments. Defenders should monitor for unauthorized access to Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers. The worm-like propagation also means that detection and rapid response are crucial to contain the spread of the malicious infrastructure.