Full Report
All your compromised credentials are belong to us now instead of the other gang
Analysis Summary
# Tool/Technique: PCPJack
## Overview
PCPJack is a sophisticated, self-propagating cloud worm framework designed to hijack cloud infrastructure. It is specifically notable for its "competitor-eviction" behavior, where it identifies and removes existing infections belonging to the threat group **TeamPCP**. Once the environment is "cleaned," PCPJack installs its own suite of tools to harvest high-value credentials and propagate across internal and external networks.
## Technical Details
- **Type:** Malware (Worm / Credential Harvester)
- **Platform:** Linux, Cloud Infrastructure (Docker, Kubernetes, Redis, MongoDB, RayML)
- **Capabilities:** Lateral movement, credential parsing, automated scanning, competitor malware removal, and encrypted exfiltration.
- **First Seen:** Late April 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1190 - Exploit Public-Facing Application]
- **[TA0007 - Discovery]**
- [T1046 - Network Service Scanning]
- [T1082 - System Information Discovery]
- **[TA0006 - Credential Access]**
- [T1552 - Unsecured Credentials]
- [T1528 - Steal Application Access Token]
- **[TA0008 - Lateral Movement]**
- [T1021.004 - Remote Services: SSH]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (Targeting TeamPCP)
- **[TA0010 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
## Functionality
### Core Capabilities
- **Worm Propagation:** Automatically scans the internet and internal networks for exposed services (Docker APIs, Kubernetes, Redis, etc.) to self-replicate.
- **Competitor Eviction:** Executes shell scripts specifically designed to find and kill processes or delete artifacts associated with the TeamPCP threat group.
- **Credential Harvesting:** Aggressively parses environment variables, configuration files, SSH keys, Docker secrets, and Kubernetes tokens.
### Advanced Features
- **Modular Framework:** Uses separate modules for lateral movement, credential parsing, and network scanning.
- **Target Selection:** Highly specific targeting of finance, enterprise messaging, and cloud service provider credentials.
- **Encrypted Exfiltration:** Encrypts stolen data before sending it to a command-and-control server to evade network-based detection.
## Indicators of Compromise
- **File Names:** `utils.py` (Credential Extractor module)
- **Behavioral Indicators:**
- Rapid outbound scanning on ports associated with Docker (2375), Redis (6379), and MongoDB (27017).
- Unexpected termination of TeamPCP-related processes.
- Unauthorized execution of shell scripts in container environments.
- **Network Indicators:** [Note: Specific C2 IPs/Domains were not provided in the source text; analysts should monitor for unauthorized traffic to unknown external endpoints.]
## Associated Threat Actors
- **PCPJack Operators:** Current identity unknown, though they display intimate knowledge of TeamPCP's methodology.
- **TeamPCP:** Target of this specific worm’s eviction routine.
## Detection Methods
- **Behavioral Detection:** Monitor for "malware-on-malware" activity—specifically scripts that issue `kill` commands against common cloud-miner or rival threat actor signatures.
- **Network Monitoring:** Alert on internal-to-internal or internal-to-external port scanning originating from cloud instances.
- **Audit Logs:** Review Kubernetes and Docker logs for unauthorized container creations or the mounting of sensitive host paths.
## Mitigation Strategies
- **Authentication:** Ensure all cloud services (Redis, MongoDB, RayML) require strong authentication and are not exposed to the public internet.
- **Credential Management:** Use secrets management tools (e.g., HashiCorp Vault, AWS Secrets Manager) rather than storing keys in environment variables or config files.
- **Network Segmentation:** Implement strict firewall rules to prevent cloud instances from initiating outbound connections to the internet or scanning internal subnets.
- **Hardening:** Disable unneeded Docker/Kubernetes APIs and use "least privilege" service accounts.
## Related Tools/Techniques
- **TeamPCP Toolset:** The predecessor/competitor malware that PCPJack targets for removal.
- **Cloud-based Cryptominers:** While PCPJack lacks a miner, it shares similar propagation techniques with groups like TeamTNT.