TeamPCP

TeamPCP is a financially motivated threat actor specializing in cloud-native infrastructure compromise. First tracked in late 2025, the group conducts worm-driven campaigns targeting exposed Docker APIs, Kubernetes clusters, and CI/CD pipelines. Their operations combine supply chain poisoning with aggressive credential harvesting, using memory scraping techniques to extract secrets from GitHub Actions runners and cloud workloads. TeamPCP monetizes access through ransomware deployment, cryptomining, and extortion. The group demonstrates sophisticated operational security, leveraging ephemeral infrastructure including Cloudflare Tunnels, typosquatted domains, and ICP-hosted fallback C2.