TeamPCP Cloud-Native Campaign Targeting Exposed Control Planes (Campaign)

TeamPCP is running an active cloud-native campaign that abuses unauthenticated or weakly protected orchestration and management interfaces (exposed Docker/Kubernetes APIs, Redis, and a React/Next.js CVE-2025-29927) to deploy a bootstrap script (proxy.sh). The script installs tunneling/proxy tools (FRPS, gost), scanners, and persistent services, and when Kubernetes is present uses kube.py to enumerate resources, propagate to pods, and deploy a privileged DaemonSet that mounts host filesystems; additional tooling supports cryptomining, data theft, and Sliver C2 for operator-managed access.