Threat Actor Profile: TeamPCP

Threat Actor Profile: TeamPCP

Classification: Financially Motivated Cybercrime Group
Threat Level: HIGH
First Observed: November–December 2025
Last Active: May 2026 (Ongoing)
Also Known As: PCPcat · ShellForce · CipherForce · DeadCatx3 · Persy_PCP

Executive Summary

TeamPCP is one of the most consequential cybercrime groups to emerge in 2026. In under six months, the group went from targeting poorly secured cloud servers to executing what researchers have called the most significant software supply chain attack campaign of the year, one that ultimately touched AI giants, a European government institution, and hundreds of thousands of organizations worldwide.

What makes TeamPCP particularly dangerous is not that they use sophisticated, never-before-seen techniques. It is that they are exceptionally good at industrializing well-known weaknesses and chaining them together at speed and scale. In their March 2026 campaign alone, they compromised trusted developer security tools and turned those tools into weapons that automatically harvested credentials from every organization using them. Over 1,000 enterprise environments were affected, roughly 500,000 credentials were stolen, and more than 300 GB of data was exfiltrated.

The group remains active, has formed ransomware partnerships, runs its own extortion operation, and has shown no indication of slowing down.

Who Is TeamPCP?

TeamPCP is a loosely organized group of financially motivated cybercriminals. In a Forbes interview, a spokesperson using the handle T00001B described the group as young people, "teenagers and young adults" who could not find paying work. Despite that self-description, their operational output has been anything but amateurish.

The group publicly maintains a Telegram channel (@team_pcp) that grew from roughly 700 subscribers in early 2026 to over 1,180 by late March, driven largely by media coverage of their supply chain operations. Through Telegram, they announce breaches, share stolen data samples, recruit ransomware partners, and document their own activity. This unusual transparency appears to be a deliberate strategy for building criminal reputation.

Linguistic and contextual signals in the group's communications suggested possible connections to Africa, though attribution remains unconfirmed.

Aliases and Sub-Operations:

How Did They Start?

TeamPCP's earliest documented activity dates to November–December 2025. Initial operations were relatively straightforward: the group scanned the internet for cloud servers that were misconfigured or left exposed, specifically targeting Docker APIs, Kubernetes clusters, Redis servers, and Ray dashboards that had no authentication protecting them.

Once inside these environments, they deployed multiple tools to turn compromised servers into a self-sustaining criminal infrastructure by running cryptocurrency miners, building proxy networks, harvesting credentials, and staging data for extortion. Over 185 compromised servers were identified during this period, with Azure and AWS environments accounting for 97% of victims.

Their first named campaign, dubbed "Operation PCPcat," peaked around Christmas Day 2025, and the group celebrated publicly on Telegram by sharing portions of the stolen data as a form of reputation building in underground circles.

A notable early victim was JobsGO, a Vietnamese recruitment platform, from which the group exfiltrated 2.3 million candidate profiles containing names, birthdates, resumes, employment histories, and contact information.

The March 2026 Supply Chain Campaign: A Turning Point

In March 2026, TeamPCP executed a campaign that elevated them from a cloud exploitation crew to a major threat to the global software supply chain. The operation was methodical, cascading, and deeply damaging.

How It Worked

The attack began with access to Aqua Security's development infrastructure, specifically the automated pipelines used to build and publish the widely used open-source security scanner, Trivy. When a previous security incident at Aqua resulted in incomplete credential rotation, TeamPCP exploited that residual access to inject malicious code into Trivy's release process.

From that single entry point, the attack spread like wildfire. Every organization that ran Trivy's automated security scans unknowingly handed over the keys to their own systems cloud access tokens, SSH keys, API credentials, Kubernetes configuration files, and more. TeamPCP's malware packaged those credentials automatically and sent them back to attacker-controlled servers.

Those stolen credentials then funded the next wave of attacks. And the wave after that.

The Cascade

Over five days, the campaign compromised:

• Trivy (Aqua Security's security scanner used by hundreds of thousands of organizations)
• ‍Checkmarx KICS (a widely used infrastructure security tool)
• ‍LiteLLM (a popular AI model gateway)
• ‍Telnyx Python SDK (a communications platform SDK with 742,000 monthly downloads)
• ‍Bitwarden CLI (a widely used password manager developer tool)
• ‍66+ npm packages across multiple organizations
• ‍PyTorch Lightning ecosystems

The breadth of the compromise meant that thousands of downstream development pipelines belonging to organizations that had no direct relationship with any of these vendors were automatically exposed.

The Self-Propagating Worm

One of the most alarming technical developments in this campaign was CanisterWorm, a self-propagating tool that, once it had a stolen software package publishing credential, could automatically inject malicious code into every package that credential had the right to publish. In under 60 seconds, it would identify, infect, and republish compromised packages under legitimate developer names. The human element was removed entirely from the propagation chain.

A follow-on tool named Mini Shai-Hulud later expanded this capability further, targeting CI/CD automation pipelines to spread malware through software dependencies across interconnected development ecosystems.

Major Known Victims (2025–2026)

Criminal Partnerships and Monetization

TeamPCP does not operate as a single-purpose group. They have built multiple monetization streams and formal criminal partnerships.

CipherForce is their own ransomware brand, through which they directly extort victims.

On BreachForums, they formalized a partnership with the Vect Ransomware Group, a Russian-speaking ransomware-as-a-service operation. Vect explicitly announced plans to deploy ransomware across all organizations affected by the Trivy and LiteLLM compromises, turning a credential theft operation into a ransomware deployment pipeline spanning thousands of potential victims.

TeamPCP's Telegram channel (@team_pcp) has also been linked to the ShinyHunters cybercrime group, with both groups named in the European Commission breach.

This structure where TeamPCP generates access at scale and then routes that access to multiple ransomware operations simultaneously means a single supply chain compromise they execute can trigger ransomware incidents across hundreds of organizations.

What They're After

TeamPCP's targeting is not industry specific. They target infrastructure, and whoever happens to run on that infrastructure becomes a victim. However, their recent activity reveals a deliberate focus on certain high-value sectors:

• AI companies and AI development infrastructure - OpenAI, Mistral AI, Lightning AI, Mercor, and others have all been named as targets or victims. Proprietary AI model code, training data, and internal repositories are valuable on the criminal market.

• Developer tooling and software supply chains - By compromising the tools developers trust, they achieve disproportionate scale. One poisoned package can affect tens of thousands of downstream organizations.

• Cloud infrastructure - Azure (61%) and AWS (36%) environments accounted for 97% of their earlier compromised servers. They specifically target exposed cloud management interfaces rather than end-user devices.

• Government and institutional environments - The European Commission breach demonstrated their reach extends to nation-state-tier institutions.

Indicators of Compromise

MITRE ATT&CK Techniques

T1059 - Command and Scripting Interpreter: Command line and scripting environments are used to execute payloads, download tools, perform system reconnaissance, and enable remote execution across Linux, Windows, and containerized environments.

T1609 - Container Administration Command: TeamPCP exploits Docker daemons and Kubernetes APIs to execute commands within containers, deploy malicious workloads, and pivot laterally across container environments.

T1610 - Deploy Container: The group deploys privileged containers with host filesystem access to achieve full node compromise, particularly during the CanisterWorm Kubernetes wiper operations targeting Iranian infrastructure.

T1525 - Implant Internal Image: Malicious code was embedded directly into Trivy Docker images tagged 0.69.4 through 0.69.6, ensuring persistence and reinfection through trusted container registries.

T1552.001 - Credentials in Files: The TeamPCP Cloud Stealer specifically targets credential files including SSH keys, cloud provider configuration files, Kubernetes config files, and environment variables storing API keys and tokens.

T1041 - Exfiltration Over C2 Channel: Harvested credentials are encrypted using AES-256 with RSA-4096 and exfiltrated as compressed archives to attacker-controlled infrastructure, with the GitHub Releases API used as a fallback exfiltration channel.

‍