1 malware familyExploits CVEs in the wild

ShellForce

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

38 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics57 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

3 techniques

T1078×2

Valid Accounts

T1190×3

Exploit Public-Facing Application

T1195×3

Supply Chain Compromise

T1195.001

Compromise Software Dependencies and Development Tools

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.007

Container Orchestration Job

T1059×2

Command and Scripting Interpreter

T1059.006×2

Python

T1574×3

Hijack Execution Flow

TA0003

Persistence

4 techniques

T1053

Scheduled Task/Job

T1053.007

Container Orchestration Job

T1078×2

Valid Accounts

T1543

Create or Modify System Process

T1543.002×2

Systemd Service

T1546

Event Triggered Execution

T1546.018

Python Startup Hooks

TA0004

Privilege Escalation

7 techniques

T1053

Scheduled Task/Job

T1053.007

Container Orchestration Job

T1055

Process Injection

T1055.009

Proc Memory

T1078×2

Valid Accounts

T1543

Create or Modify System Process

T1543.002×2

Systemd Service

T1546

Event Triggered Execution

T1546.018

Python Startup Hooks

T1548

Abuse Elevation Control Mechanism

T1611

Escape to Host

TA0005

Stealth

5 techniques

T1036

Masquerading

T1055

Process Injection

T1055.009

Proc Memory

T1070

Indicator Removal

T1070.004

File Deletion

T1078×2

Valid Accounts

T1574×3

Hijack Execution Flow

TA0006

Credential Access

4 techniques

T1528×2

Steal Application Access Token

T1552

Unsecured Credentials

T1552.001×3

Credentials In Files

T1552.005

Cloud Instance Metadata API

T1555×2

Credentials from Password Stores

T1649×4

Steal or Forge Authentication Certificates

TA0007

Discovery

6 techniques

T1033

System Owner/User Discovery

T1057

Process Discovery

T1082×3

System Information Discovery

T1083

File and Directory Discovery

T1526×4

Cloud Service Discovery

T1613×3

Container and Resource Discovery

TA0008

Lateral Movement

1 technique

T1570

Lateral Tool Transfer

TA0009

Collection

1 technique

T1560

Archive Collected Data

TA0011

Command and Control

2 techniques

T1071

Application Layer Protocol

T1105×2

Ingress Tool Transfer

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1567×3

Exfiltration Over Web Service

T1567.002

Exfiltration to Cloud Storage

TA0040

Impact

4 techniques

T1486

Data Encrypted for Impact

T1490

Inhibit System Recovery

T1491×2

Defacement

T1565

Data Manipulation

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

TeamPCP Cloud stealerThe malware self-identifies as TeamPCP Cloud stealer in a Python comment on the final line of the embedded filesystem credential harvester.1Mar 28, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-29927Next.js Middleware Authorization Bypass via x-middleware-subrequest HeaderIn the wildEvidence1

Analysis of react.py This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. Script set to exploit React2Shell This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale. | This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. Script set to exploit React2Shell This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale.

IOCS

Observables

13 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

13 IOCsView more in app

uri

9 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+1

ip.v4

2 total

•••••••••••••••••

Domains

1 total

••••••.com

hash.sha256

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

No public activity tracked yet. Mallory keeps watching.

0 SOURCESView more in app

No public activity observed for this threat actor.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping38

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables13

Domains, IPs, and hashes tied to this actor, refreshed continuously.