Full Report
A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems. [...]
Analysis Summary
# Tool/Technique: PCPJack
## Overview
PCPJack is a sophisticated malware framework and worm designed to automate credential theft from exposed cloud infrastructure. It is notable for its aggressive "anti-competitor" behavior, specifically targeting and removing infections from the **TeamPCP** threat group to maintain exclusive control over compromised systems. It moves laterally through networks and exploits modern cloud vulnerabilities to propagate.
## Technical Details
- **Type:** Malware Framework / Worm
- **Platform:** Linux (Cloud environments, Docker, Kubernetes)
- **Capabilities:** Credential theft, vulnerability exploitation, lateral movement, competitor eviction, persistence.
- **First Seen:** May 2026 (Active since approximately late 2025/early 2026).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- **[TA0002 - Execution]**
- [T1059.004 - Command and Scripting Interpreter: Unix Shell]
- [T1203 - Exploitation for Client Execution]
- **[TA0003 - Persistence]**
- [T1053.003 - Scheduled Task/Job: Cron]
- [T1543.002 - Create or Modify System Process: Systemd Service]
- **[TA0007 - Discovery]**
- [T1046 - Network Service Scanning]
- [T1083 - File and Directory Discovery]
- **[TA0008 - Lateral Movement]**
- [T1021.004 - Remote Services: SSH]
- **[TA0009 - Collection]**
- [T1555 - Credentials from Password Stores]
- **[TA0011 - Command and Control]**
- [T1102.002 - Web Service: Bidirectional Communication (Telegram)]
## Functionality
### Core Capabilities
- **Automated Exploitation:** Scans for and exploits five specific vulnerabilities (detailed below) to gain access to web apps and cloud services.
- **Credential Extortion/Theft:** Targets a wide array of secrets, including SSH keys, Slack tokens, WordPress configs, OpenAI/Anthropic API keys, Discord tokens, and DigitalOcean credentials.
- **Worm Propagation:** Uses Common Crawl parquet files to identify new targets and propagates via SSH and Docker/Kubernetes orchestration.
- **Data Exfiltration:** Uses encrypted Telegram channels (X25519 ECDH and ChaCha20-Poly1305) to exfiltrate stolen data in 2800-byte chunks.
### Advanced Features
- **Competitor Clean-up:** Explicitly identifies and removes TeamPCP-related processes, containers, services, and artifacts.
- **Infrastructure Targeting:** Specifically designed to interact with and compromise RayML, Redis, MongoDB, and exposed Docker/Kubernetes daemons.
- **Multi-Architecture Backdoor:** Utilizes Sliver-based backdoors supporting x86_64, x86, and ARM architectures.
## Indicators of Compromise
- **File Names:**
- `bootstrap.sh` (Initial dropper)
- `monitor.py` (Main orchestrator)
- **Vulnerabilities Exploited:**
- CVE-2025-29927 (Next.js Auth Bypass)
- CVE-2025-55182 (React2Shell Deserialization)
- CVE-2026-1357 (WPVivid unauthenticated upload)
- CVE-2025-9501 (W3 Total Cache PHP Injection)
- CVE-2025-48703 (CentOS Web Panel Shell Injection)
- **Network Indicators:**
- Telegram API endpoints (Exfiltration)
- C2 servers hosting Sliver backdoors (Specific IPs/Domains not listed in source, but typically use `hXXps[://]...`)
- **Behavioral Indicators:**
- Creation of hidden working directories.
- Unexpected `systemd` or `cron` jobs appearing on Linux cloud instances.
- Large-scale outbound scanning on ports associated with Redis (6379), MongoDB (27017), and Docker (2375/2376).
## Associated Threat Actors
- **PCPJack Operator:** Likely a former affiliate or member of **TeamPCP** due to similarities in targeting and deep knowledge of TeamPCP's internal tooling.
## Detection Methods
- **Signature-based:** Detect the `bootstrap.sh` script patterns or known Sliver backdoor payloads.
- **Behavioral:** Monitor for unauthorized modifications to `systemd` or `cron`. Alert on internal IPs attempting to scan Kubernetes/Docker APIs or SSH into multiple hosts.
- **Network:** Monitor for unusual spikes in outbound traffic to Telegram API ranges, especially encrypted/chunked payloads.
## Mitigation Strategies
- **Identity Management:** Enforce Multi-Factor Authentication (MFA) across all cloud credentials.
- **Cloud Hardening:** Move from AWS IMDSv1 to **IMDSv2** to prevent credential SSRF.
- **Access Control:** Follow the principle of least privilege; ensure Docker/Kubernetes APIs are not exposed to the public internet and require authentication.
- **Secret Management:** Avoid storing API keys (OpenAI, Slack, etc.) in plaintext files; use dedicated secret vaults.
## Related Tools/Techniques
- **TeamPCP / PCPCat:** predecessor/rival framework.
- **Sliver:** Open-source C2 framework used for backdoor operations.
- **Trivy / LiteLLM / Telnyx:** Previous targets/victims of related supply-chain attacks.