Full Report
Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting
Analysis Summary
# Tool/Technique: PCPJack
## Overview
PCPJack is a sophisticated, worm-like credential theft framework designed to exploit exposed cloud infrastructure. It is characterized by its aggressive "eviction" tactics, where it actively identifies and removes artifacts and processes associated with the **TeamPCP** threat actor. The tool harvests credentials across cloud, container, and financial services, utilizing automated scanning and known vulnerabilities to propagate laterally and externally.
## Technical Details
- **Type:** Malware Toolset / Framework / Worm
- **Platform:** Linux-based cloud environments (Docker, Kubernetes, Redis, MongoDB, RayML)
- **Capabilities:** Credential harvesting, lateral movement, external scanning, automated vulnerability exploitation (5 CVEs), environment persistence, and Telegram-based exfiltration.
- **First Seen:** May 2026 (Disclosed)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0007 - Discovery**
- T1046 - Network Service Discovery
- T1018 - Remote System Discovery
- **TA0008 - Lateral Movement**
- T1021.004 - Remote Services: SSH
- T1080 - Taint Shared Content
- **TA0009 - Collection**
- T1552.001 - Unsecured Credentials: Files
- **TA0011 - Command and Control**
- T1102.002 - Web Service: Bidirectional Communication (Telegram)
- **TA0040 - Impact**
- T1481 - Account Removal (Specifically targeting TeamPCP artifacts)
## Functionality
### Core Capabilities
- **Worm-like Propagation:** Automated exploitation of five specific CVEs to spread across cloud instances.
- **Credential Harvesting:** Specifically targets cloud provider keys (AWS, Azure, GCP), database credentials (Redis, MongoDB), and developer secrets.
- **Cloud Scanning:** Utilizes `cloud_ranges.py` to target IP ranges of major providers and uses Common Crawl datasets to identify potential targets.
- **Exfiltration:** Encrypts stolen data and sends it to attacker-controlled Telegram channels.
### Advanced Features
- **Rival Eviction:** Scans for and terminates any processes or files associated with "TeamPCP."
- **Success Metrics:** Reports back to the C2 with a "PCP replaced" field to confirm successful takeover of rival infrastructure.
- **Persistence:** Automatically installs Python and configures system-level persistence during the bootstrap phase.
## Indicators of Compromise
- **File Hashes (SHA256):**
- *(Specific hashes not provided in the article snippet, though names are identified)*
- **File Names:**
- `monitor.py` (Source: `worm.py`)
- `utils.py` (Source: `parser.py`)
- `_lat.py` (Source: `lateral.py`)
- `_cu.py` (Source: `crypto_util.py`)
- `_cr.py` (Source: `cloud_ranges.py`)
- `_csc.py` (Source: `cloud_scan.py`)
- `check.sh`
- **Network Indicators:**
- High volume of scans to cloud provider IP ranges.
- Outbound traffic to Telegram API: `api[.]telegram[.]org`
- Access to Common Crawl parquet files.
- **Behavioral Indicators:**
- Unexpected presence of Python or Docker/Kubernetes management tools on non-admin hosts.
- Rapid termination of processes linked to TeamPCP.
## Associated Threat Actors
- **Unknown Operator:** Suspected to be a former member of **TeamPCP** due to tradecraft overlap and specific targeting of TeamPCP infrastructure.
## Detection Methods
- **Behavioral Detection:** Monitoring for unauthorized outbound connections to Telegram from cloud workloads and identifying internal port scanning (Redis/6379, MongoDB/27017, etc.).
- **Vulnerability Scanning:** Identify systems unpatched against the 5 key CVEs:
- CVE-2025-55182
- CVE-2025-29927
- CVE-2026-1357
- CVE-2025-9501
- CVE-2025-48703
- **File Monitoring:** Watch for the creation of hidden or unusually named Python scripts (e.g., `_lat.py`, `_cr.py`) in temporary directories.
## Mitigation Strategies
- **Patch Management:** Immediately address the five disclosed CVEs used for propagation.
- **Network Segmentation:** Implement strict egress filtering for cloud workloads to prevent unauthorized C2 communication and scanning.
- **Credential Hygiene:** Use IAM roles/Service Accounts with least privilege instead of long-lived access keys stored in environment variables or files.
- **Configuration Hardening:** Ensure Docker and Kubernetes APIs are not exposed to the public internet without strong authentication.
## Related Tools/Techniques
- **TeamPCP:** The predecessor/rival framework with significant code overlap.
- **React2Shell:** Exploitation technique/vulnerability previously used by associated groups.
- **Cloud-based Cryptominers:** While PCPJack lacks a miner, its distribution method mirrors many cloud-based mining worms.