Threat Actors Scale Attacks on Edge and Cloud Control Planes via Exposed Services and Trusted Relationships
Threat actors are increasingly targeting network edge infrastructure—including firewalls, routers, and VPN appliances—by exploiting critical vulnerabilities to gain durable footholds in environments where monitoring is often weaker than on endpoints. Reporting highlights a shift toward persistence mechanisms such as device-family-specific backdoors that can survive reboots and even firmware updates, and a growing pattern of abusing trusted services and upstream providers (the “Fail-of-Trust Model”) to pivot from compromised IT/service vendors into downstream government, military, and critical infrastructure networks.
In parallel, a separate large-scale campaign tracked as TeamPCP (aka PCPcat / ShellForce) has been compromising cloud environments using automated, worm-like propagation against misconfigured or exposed management interfaces rather than novel exploits. Analysis cited in coverage attributes at least 60,000 compromised servers worldwide to the operation, which scans for and abuses exposed services such as Docker APIs, Kubernetes control surfaces, Redis, and other cloud-adjacent interfaces, turning hijacked infrastructure into monetizable “crime bots” through industrialized exploitation of known weaknesses and misconfigurations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
China-nexus actors deploy persistent backdoors on edge devices
The report highlighted China-linked threat actors developing device-family-specific backdoors for edge infrastructure that can survive firmware updates and restarts. It also described growing use of compromised upstream providers, MSPs, cloud platforms, IoT, and NAS devices to relay traffic, obscure origins, and maintain access to downstream targets.
ShellForce leak site exposes JobsGO breach data
The TeamPCP/ShellForce operation was reported to be stealing data and extorting victims through a leak site, including publishing data from a breach of Vietnam's JobsGO. The exposed dataset reportedly contained more than two million candidate records.
TeamPCP compromises at least 60,000 servers worldwide
By early February 2026, Flare reported that TeamPCP had already compromised at least 60,000 servers globally. The operation used infected systems to scan for and infect additional vulnerable targets, with much of the observed activity affecting Azure- and AWS-hosted infrastructure.
TeamT5 documents widespread 2025 APT edge-device exploitation
TeamT5 reported that 2025 saw heightened APT activity against network edge devices, documenting more than 510 operations across 67 countries and identifying 27 critical vulnerabilities, mostly affecting perimeter infrastructure. The report described attackers increasingly exploiting firewalls, routers, and VPN appliances to gain durable access that can survive patching and reboots.
TeamPCP campaign begins targeting exposed cloud services
Flare assessed that the TeamPCP/PCPcat/ShellForce operation started in late December 2025, using automated worm-like propagation to compromise exposed and misconfigured cloud management services. The actor targeted services such as exposed Docker APIs, Kubernetes clusters, Redis, Ray dashboards, and React2Shell-vulnerable systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
APT Hackers Target Edge Devices by Abusing Trusted Services to Deploy Malware
cybersecuritynews.com
Open sourceTeamPCP Turns Cloud Infrastructure into Crime Bots
darkreading.com
Open sourceVPN Compromise to Ransomware: 5 Incident Response Scenarios
intrinsec.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
State-Backed Intrusions Exploit RDP, VPN, SSH, and Supply Chains for Initial Access
Russian and China-linked threat activity has relied on common but effective entry points to penetrate government, telecom, defense, energy, and other critical-sector networks. Ukrainian officials said CERT-UA recorded **5,927 cyber incidents** in 2025, a **37.4% increase** over the prior year, with Russian groups including **UAC-0002 (Sandworm)**, **UAC-0001 (APT28)**, **UAC-0010 (Gamaredon)**, and **UAC-0190 (Void Blizzard)** using exposed **RDP** services, vulnerable **VPN** appliances, supply-chain compromise, phishing, and stolen credentials to gain access. Separately, telecom intrusions tied to the China-linked cluster **UAT-9244** used exposed web applications, **ProxyLogon**, exposed **SSH** services, weak credentials, and unpatched server software to establish footholds in Linux-heavy environments. Once inside, the actors deployed a broad toolset for espionage, persistence, and disruption, including RATs, stealers, ransomware, wipers, and Linux malware such as **PeerTime**, which supports multiple architectures and uses peer-to-peer, BitTorrent-like communications to avoid reliance on centralized command-and-control. The reporting highlights exploitation of products including **Cisco ASA/AnyConnect**, **Roundcube**, **Fortinet**, **WinRAR**, **7-Zip**, and legacy Microsoft Office components, alongside social-engineering tactics such as **ClickFix**, device-code phishing, OAuth phishing, and QR-code hijacking. The campaigns also abused legitimate services and native system tools, while under-monitored embedded Linux devices, routers, edge systems, and container hosts were described as especially attractive for long-term persistence, lateral movement, scanning, and covert communications.
May 25, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026
Exploitation of Managed File Transfer and Messaging Server Vulnerabilities for Remote Code Execution and Ransomware Deployment
Threat actors continue to prioritize internet-facing infrastructure that provides high-leverage initial access, with multiple reports highlighting **active exploitation of remote code execution (RCE) paths** in widely deployed services. A DFIR case study described attackers exploiting **Apache ActiveMQ** `CVE-2023-46604` by sending a crafted OpenWire command that forced the broker to load a remote Spring XML configuration, leading to payload retrieval via `certutil`, rapid privilege escalation to **SYSTEM**, credential dumping from **LSASS**, and eventual **LockBit** ransomware deployment via **RDP** after re-entry using previously stolen privileged credentials. Separately, incident-response reporting warned of ongoing exploitation against **Managed File Transfer (MFT)** products, including Gladinet *CentreStack* (an LFI issue `CVE-2025-11371` used in an exploit chain culminating in RCE, patched as `CVE-2025-30406`) and Fortra *GoAnywhere MFT* (`CVE-2025-10035`, improper deserialization leading to RCE), with observed activity linked to a threat group associated with **Medusa** ransomware. Broader telemetry and research reinforced that edge and externally exposed services remain the primary battleground for initial access at scale. GreyNoise reported nearly **3 billion** malicious sessions against edge infrastructure in 2H 2025, with heavy targeting of enterprise VPNs (notably **Palo Alto GlobalProtect**) and continued exploitation attempts for older issues such as `CVE-2020-2034`, alongside pervasive scanning of **SSH** and remote access services. In parallel, financially motivated and cybercrime-enabling ecosystems are improving their ability to reach victims: Varonis detailed **1Campaign**, a cloaking service that helps malicious **Google Ads** evade review by serving benign pages to scanners while directing real users to phishing/crypto-drainer content, and Have I Been Squatted documented **Diesel Vortex**, a logistics-focused credential-phishing operation using dozens of domains and an exposed backend repository to support industrialized theft. These trends align with reporting that attackers are increasingly using **AI-assisted social engineering and tooling** (including deepfakes and AI-generated phishing) and with law-enforcement actions such as Interpol-backed **Operation Red Card 2.0**, which resulted in **651 arrests** and $4.3M recovered from cyber-enabled fraud activity across 16 African countries.
Mar 21, 2026