The group’s profile is primarily defined by financial gain. Their revenue streams include direct extortion via data leaks, the theft of sensitive corporate information, and the hijacking of massive computational power. Their targeting is heavily skewed toward exposed cloud surfaces, with internal data suggesting a preference for Azure (61%)<\/strong> and AWS (36%)<\/strong>. Consequently, sectors with significant cloud footprints\u2014such as Banking, Fintech, and E-commerce\u2014are at the highest risk.<\/p>\n\n\n\n TeamPCP\u2019s initial modus operandi<\/em> relied on automated “worms” designed to traverse the internet in search of misconfigured services or unpatched vulnerabilities. However, their strategy saw a sophisticated shift in early 2026 toward Supply Chain attacks<\/strong>. By compromising popular security and DevOps tools, they have successfully injected malicious code into CI\/CD pipelines, allowing them to harvest credentials at the source. The group operates under several known aliases, including DeadCatx3<\/strong>, PCPcat<\/strong>, PersyPCP<\/strong>, and ShellForce<\/strong>.<\/p>\n\n\n\n The group’s activity peaked during three major campaigns that demonstrated their technical versatility:<\/p>\n\n\n\n Central to TeamPCP’s financial strategy is their official Onion-based Data Leak Site (DLS)<\/strong>. This portal follows the “double extortion” model, where victims are pressured not only to regain access to their systems but also to prevent the public release of their proprietary data.<\/p>\n\n\n\n The portal is designed with a minimalist “cat\/shell” aesthetic and features a categorized list of victims. Each entry typically includes a description of the breached entity, the date of the intrusion, and links\u2014often hosted via IPFS (InterPlanetary File System)<\/strong> or public file-sharing providers\u2014to download “proof-of-concept” data. This use of IPFS ensures that even if one gateway is taken down, the stolen data remains redundant and accessible.<\/p>\n\n\n\n Beyond serving as a repository for leaks, the site functions as a communication hub where victims are provided with Tox IDs<\/strong> or encrypted chat links to negotiate ransom payments in private.<\/p>\n\n\n\n Monitoring for the following indicators is recommended for cloud infrastructure defense:<\/p>\n\n\n\n Suspicious Runtime Behaviors:<\/strong><\/p>\n\n\n\n Observers should watch for the sudden creation of unauthorized Kubernetes DaemonSets<\/strong> or Jobs<\/strong> with names like TeamPCP: The Rise of Cloud-Native Extortion and Supply Chain Attacks TeamPCP is an emerging cybercriminal collective that became active in late 2025, distinguishing itself through a specialized focus on massive attacks against cloud-native infrastructures. Unlike traditional Advanced Persistent Threat (APT) groups that often prioritize deep persistence on specific endpoints, TeamPCP utilizes high-level automation to scale […]<\/p>\n","protected":false},"author":12,"featured_media":9741,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3089,3088,350],"class_list":["post-9727","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-security-news","tag-supply-chain","tag-teampcp","tag-threat"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9727","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=9727"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9727\/revisions"}],"predecessor-version":[{"id":9730,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/9727\/revisions\/9730"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/9741"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=9727"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=9727"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=9727"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Evolutionary Tactics: From Worms to Supply Chain Poisoning<\/h2>\n\n\n\n
Chronology of Recent Operations (2025\u20132026)<\/h2>\n\n\n\n
\n
The Onion Data Leak Site (DLS) and Extortion Model<\/h2>\n\n\n\n
![\"\"](\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2026\/03\/image-1024x657.png\")
<\/figure>\n\n\n\nTechnical Indicators of Compromise (IOCs)<\/h2>\n\n\n\n
Category<\/strong><\/td> Indicator \/ Value<\/strong><\/td><\/tr><\/thead> C2 Domains<\/strong><\/td> scan.aquasecurtiy[.]org<\/code> (Typosquatting), checkmarx[.]zone<\/code>, models.litellm[.]cloud<\/code><\/td><\/tr>C2 IP Address<\/strong><\/td> 45.148.10[.]212<\/code> (Exfiltration infrastructure)<\/td><\/tr>Onion URL<\/strong><\/td> 22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w44d6ase676qlkoead[.]onion<\/code> (old)22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w44d6ase676qlkoead[.]onion<\/code> (new)<\/td><\/tr>Malicious Files<\/strong><\/td> tpcp.tar.gz<\/code> (Encrypted exfiltration), proxy.sh<\/code> (Tunneling), kube.py<\/code> (Lateral movement)<\/td><\/tr>Persistence<\/strong><\/td> internal-monitor.service<\/code> (Systemd service)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\nnode-setup-*<\/code> or host-provisioner-std<\/code>. Additionally, unexpected outbound traffic from containers toward GitHub or the presence of a repository named tpcp-docs<\/code> within an organization\u2019s GitHub account are strong signals of active exfiltration.<\/p>\n","protected":false},"excerpt":{"rendered":"