ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Threat Group Profile: TeamPCP
2026.05.20

✅ Report Title: Threat Group Profile: TeamPCP



✅ Executive Summary:


📌 Who Is the TeamPCP?


- TeamPCP is a financially motivated cybercrime group that emerged in December 2025 and began focusing attacks on corporate cloud environments, later expanding their attack strategy to include supply chain attacks.


- They claim to be a rebranded group, and it is analyzed that the existing cybercrime organization has been reorganized with a new identity.


- Since February 2026, the group has been operating its own ransomware-as-a-service (RaaS) under the name 'CipherForce' and running a data leak site.



📌 DDW & Telegram Activity


- TeamPCP has expanded its influence through operating a Telegram channel and forming alliances with other groups within DDW forums.

  - They operate the CipherForce (ShellForce) ransomware, engaging in activities to sell stolen data and recruit affiliates.

  - Before TeamPCP's activities, they sold corporate access on major DDW forums such as Darkforums, Breachforums, and Breachstars, and operated a server hosting service called DMT Host.

  - Users @bulkDMT and @a0164915 have been identified as Operators of TeamPCP.



📌 Arsenals Used by TeamPCP


- The frequently used malware included CanisterWorm, and in addition, the backdoor CanisterSprawl and the wiper kamikaze were also identified.



📌 Tactics, Techniques, and Procedures


- TeamPCP initiated the PCPcat campaign exploiting vulnerabilities in cloud environments, and recently conducted large-scale campaigns compromising credentials through supply chain attacks targeting Trivy, KICS, LiteLLM, Telnyx, and Namastex.


- The Supply Chain campaign was a complex supply chain attack carried out in stages from the end of February to the end of March 2026, based on a chain propagation structure centered on credential compromise rather than exploiting a single vulnerability.

  - The threat actor regarded interconnected development ecosystems such as GitHub Actions, NPM, PyPI, and Docker Hub as a single attack surface, and executed a strategy of spreading to adjacent ecosystems using the initial compromise as a foothold.

  - The core of this campaign lies in a chain-like propagation structure centered on credential compromise rather than a single point of intrusion. The threat actor expanded the scope of the attack to include package repositories, security tools, AI infrastructure, and the SDK ecosystem by utilizing highly privileged tokens obtained in the CI/CD environment. As a result, the entire supply chain was sequentially contaminated as a single attack chain rather than individual incidents.



📌 Other Related Groups


- TeamPCP has been revealed to have a close cooperative relationship with the data compromise group LAPSUS$, and has formed an official partnership with the ransomware group VECT, announcing large-scale supply chain attacks and subsequent ransomware attacks.



✅ Recommended Threat Detection and Mitigation Actions:


- Since attacks are carried out by compromising credentials through abusing CI/CD and software supply chains and spreading throughout the ecosystem based on this, companies and organizations must prioritize strengthening behavior-based detection systems for supply chain security, credential protection, and CI/CD execution paths.




🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb: May 2026, Week 2
2026.05.20
Previous
Threat Intelligence Reports
The Gentlemen Ransomware Analysis Report
2026.05.26
Next
List