Cyber Criminal Group TeamPCP

    Date: 07/06/2026

    Severity: High

    Summary

    TeamPCP is a financially motivated cybercriminal group responsible for large-scale software supply chain attacks targeting trusted developer and security tools, including Trivy, KICS, LiteLLM, and the Telnyx Python SDK. By injecting malicious code into legitimate packages, the group deployed credential stealers, persistent backdoors, and self-propagating malware such as CanisterWorm, SANDCLOCK, Mini Shai-Hulud, and Miasma to steal cloud credentials, API keys, SSH keys, and Kubernetes secrets. In addition to supply chain compromises, TeamPCP conducts data extortion and collaborates with other threat actors to monetize stolen data and maintain long-term access to compromised environments. 

    Indicators of Compromise (IOC) List 

    Domains/URLs

    scan.aquasecurtiy.org 

    checkmarx.zone 

    checkmarx.zone/vsx

    checkmarx.zone/static/checkmarxutil-1.0.4.tgz 

    checkmarx.zone/raw 

    models.litellm.cloud

    tdtqy-oyaaa-aaaae-af2dqcai.raw.icp0.io 

    check.git-service.com 

    t.m-kosche.com

    git-tanstack.com 

    recv.hackmoltrepeat.com 

    audit.checkmarx.cx/v1/telemetry

    IP Address

    83.142.209.11 

    45.148.10.212 

    83.142.209.194

    83.142.209.203 

    94.154.172.43 

    67.217.57.240

    Hash

    18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a

    c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926

    0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a

    61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba

    f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152

    7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7

    5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956

    e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b

    069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce

    7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8

    aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5

    877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec

    80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac

    6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95

    eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb

    29ac906c8bd801dfe1cb39596197df49f80fff2270b3e7fbab52278c24e4f1a7

    a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c

    71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238

    a0d229be8efcb2f9135e2ad55ba275b76ddcfeb55fa4370e0a522a5bdee0120b

    6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a

    88896d478986d453f5da79b311de39d9b4b1bea95c21af1d8ef181b0f4e52fe9

    21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4

    0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35

    633c8410ee0413ca4b090a19c30b20c03f31598c25247c484846fa34c1df5b64

    ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "scan.aquasecurtiy.org" or url like "scan.aquasecurtiy.org" or siteurl like "scan.aquasecurtiy.org" or domainname like "t.m-kosche.com" or url like "t.m-kosche.com" or siteurl like "t.m-kosche.com" or domainname like "models.litellm.cloud" or url like "models.litellm.cloud" or siteurl like "models.litellm.cloud" or domainname like "check.git-service.com" or url like "check.git-service.com" or siteurl like "check.git-service.com" or domainname like "git-tanstack.com" or url like "git-tanstack.com" or siteurl like "git-tanstack.com" or domainname like "recv.hackmoltrepeat.com" or url like "recv.hackmoltrepeat.com" or siteurl like "recv.hackmoltrepeat.com" or domainname like "checkmarx.zone" or url like "checkmarx.zone" or siteurl like "checkmarx.zone" or domainname like "checkmarx.zone/vsx" or siteurl like "checkmarx.zone/vsx" or url like "checkmarx.zone/vsx" or domainname like "checkmarx.zone/static/checkmarxutil-1.0.4.tgz" or siteurl like "checkmarx.zone/static/checkmarxutil-1.0.4.tgz" or url like "checkmarx.zone/static/checkmarxutil-1.0.4.tgz" or domainname like "checkmarx.zone/raw" or siteurl like "checkmarx.zone/raw" or url like "checkmarx.zone/raw" or domainname like "tdtqy-oyaaa-aaaae-af2dqcai.raw.icp0.io" or siteurl like "tdtqy-oyaaa-aaaae-af2dqcai.raw.icp0.io" or url like "tdtqy-oyaaa-aaaae-af2dqcai.raw.icp0.io" or domainname like "audit.checkmarx.cx/v1/telemetry" or siteurl like "audit.checkmarx.cx/v1/telemetry" or url like "audit.checkmarx.cx/v1/telemetry"

    Detection Query 2 :

    dstipaddress IN ("83.142.209.194","45.148.10.212","83.142.209.203","94.154.172.43","67.217.57.240","83.142.209.11") or srcipaddress IN ("83.142.209.194","45.148.10.212","83.142.209.203","94.154.172.43","67.217.57.240","83.142.209.11")

    Detection Query 3 :

    sha256hash IN ("ef641e956f91d501b748085996303c96a64d67f63bfeef0dda175e5aa19cca90","29ac906c8bd801dfe1cb39596197df49f80fff2270b3e7fbab52278c24e4f1a7","f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152","7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7","0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a","c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926","e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b","21b6409a7b84446310daca5409ad6112ac60a1e4bef97736e53fff5f63bfdef4","a0d229be8efcb2f9135e2ad55ba275b76ddcfeb55fa4370e0a522a5bdee0120b","069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce","0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35","80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac","7d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8","eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb","61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba","6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a","18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a","a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c","71e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238","6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95","877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ec","5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956","aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5","88896d478986d453f5da79b311de39d9b4b1bea95c21af1d8ef181b0f4e52fe9","633c8410ee0413ca4b090a19c30b20c03f31598c25247c484846fa34c1df5b64")

    Reference:    

    https://www.ic3.gov/CSA/2026/260702.pdf              


    Tags

    BackdoorShai-huludCredential HarvestingExtortionMalwareThreat ActorTeamPCPSupply chain attack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags