TeamPCP Supply Chain Attack Fuels Payroll Fraud and Ransomware

Executive Summary

A financially motivated threat actor tracked as TeamPCP has executed a multi-stage supply chain attack, compromising trusted software tools to harvest credentials from more than 100 victim organizations. According to research by Recorded Future's Insikt Group, the stolen credentials were then used to facilitate payroll diversion fraud, logistics theft, and ransomware extortion, resulting in confirmed losses exceeding $1.5 million. The operation demonstrates a sophisticated blending of initial access broker (IAB) tactics with hands-on-keyboard fraud and extortion.

Technical Analysis

The attack chain began with the compromise of legitimate software vendors and tools, though the specific initial vector remains undisclosed. TeamPCP then distributed trojanized versions of these tools, which were signed with valid digital certificates to evade detection. When victims installed the software, a malicious payload was executed that harvested credentials from a wide range of applications, including browsers, email clients, FTP clients, and cryptocurrency wallets.

The stolen credentials, particularly for corporate email and business administration platforms, were aggregated and sold or used directly by the actors. Recorded Future analysts identified TeamPCP actors actively logging into victim email accounts to monitor business transactions, identify high-value targets like CFOs, and identify upcoming payroll runs. In several cases, this access was sold to other cybercriminal groups specializing in ransomware deployment.

Tactics, Techniques & Procedures

The Insikt Group report maps TeamPCP's activities to the MITRE ATT&CK framework. Key techniques include:

• Supply Chain Compromise (T1195.002): Compromising software distribution channels to trojanize legitimate tools.
• Code Signing (T1553.002): Using valid certificates to sign malicious payloads.
• OS Credential Dumping (T1003): Deploying credential harvesters to collect stored authentication data from infected systems.
• Email Collection (T1114): Using stolen credentials to access and monitor victim email accounts for intelligence.
• Business Email Compromise (T1657): Using gathered intelligence to redirect ACH payments and payroll deposits to attacker-controlled accounts.
• Data Encrypted for Impact (T1486): Partnering with ransomware affiliates to deploy file-encrypting malware after initial access is established.

Threat Actor Context

TeamPCP is assessed by Recorded Future to be a financially motivated threat group based in Nigeria. The group operates with a dual business model: acting as an Initial Access Broker (IAB) by selling validated corporate access to other criminals, and conducting hands-on financial fraud themselves. Their operations are characterized by high-volume credential theft followed by meticulous, manual investigation of victim environments to maximize financial gain. The group has been active since at least 2022.

Mitigations & Recommendations

The Insikt Group report emphasizes defense against the initial supply chain compromise and credential harvesting stages. Key mitigations include:

• Implement application allowlisting to prevent execution of unauthorized software, including trojanized legitimate tools.
• Enforce robust multi-factor authentication (MFA) on all business-critical systems, especially email and financial platforms, using phishing-resistant methods where possible.
• Monitor for anomalous network authentication events and suspicious outbound connections from developer or IT workstations that may indicate credential harvesting activity.
• Establish and test procedures for verifying and validating requests for financial transactions, particularly changes to payment details or destinations.
• Conduct security assessments of third-party software providers and verify the integrity of software downloads through hash comparison when feasible.