How TeamPCP's Python Toolkit Survives a C2 Takedown: FIRESCALE, GitHub, and the Victim's Own Account

This report analyzes a sophisticated TeamPCP second-stage Python toolkit used in a supply-chain campaign: it performs stealthy environment checks, parallelized collection of credentials (local files, SSH, Docker, cloud providers, password managers), three-tier exfiltration (hardcoded C2 83.142.209.194, GitHub commit dead-drop ‘FIRESCALE’, and victim-owned GitHub repos), and an opportunistic geopolitical wiper; the analysis includes detailed ATT&CK mapping, confirmed IOCs (IPs, service names, 13 SHA‑256 file hashes), and infrastructure pivots to Google Cloud addresses.