PCPJack Modular Cloud Worm Replaces TeamPCP Malware, Steals Cloud Secrets
SentinelLabs has discovered a modular cloud worm named PCPJack that removes TeamPCP malware from infected systems while stealing cloud secrets from AWS, GitHub, Slack, and cryptocurrency wallets.
Researchers at SentinelLabs have uncovered a new modular cloud worm named PCPJack that actively removes infections from the notorious supply chain attacker TeamPCP while stealing a wide range of cloud secrets. The malware targets credentials for AWS, GitHub, Slack, WordPress, cryptocurrency wallets, and financial services like Stripe, posing a significant threat to organizations with exposed cloud services.
PCPJack is described as a well-developed program that reflects the malware it is designed to root out. It scans for open and exploitable cloud services, performs broad sweeps for valuable credentials, and then repeats the process. The initial entry is managed by a module called 'bootstrap,' which establishes persistence, downloads other Python modules, and immediately searches for and removes any processes belonging to TeamPCP.
The main orchestrator script, 'monitor,' collects system metrics to disguise itself as a benign system monitoring utility. It then steals local configuration and environment files, along with a variety of cloud, container, and cryptocurrency wallets, tokens, and keys. The stolen secrets are passed to a module called 'utils,' which sorts and categorizes them. PCPJack targets email services like Gmail, Microsoft Outlook, and Mailchimp, as well as cloud applications such as AWS, GitHub, Slack, and WordPress, and cryptocurrency platforms including Bitcoin, Ethereum, Coinbase, Binance, and Stripe.
PCPJack moves laterally both inside networks and to external targets. It hacks into exposed cloud services to steal secrets and uses those secrets to hack into more cloud services. The lateral movement script, 'lat,' uses newly stolen secrets to access Kubernetes environments, Docker containers, Redis, and remote machines via SSH. The external propagation logic is more novel: the malware downloads parquet files from Common Crawl, a nonprofit web crawling service, to discover potential targets. A module called 'csc' then exploits known vulnerabilities to gain access. PCPJack also tracks which hosts it has already scanned to avoid redundant scanning.
According to SentinelLabs, PCPJack's most novel feature is its use of parquet files for target discovery. Unlike aimless scanning, it filters for hosts with valid HTTP responses and allows operators to customize targeting by overriding the parquet index for targeted attacks. This approach is unique and not seen in other tools.
PCPJack specifically targets TeamPCP's tooling rather than all malware broadly. TeamPCP is a high-profile threat group, but encounters with its malware are relatively rare. SentinelLabs initially wondered if PCPJack was deployed by a researcher trying to fight TeamPCP infections, but the malware's other payloads dispelled that theory. Researchers now speculate that PCPJack might have been created by someone formerly involved with TeamPCP, given the intimate knowledge of its tactics. The campaign is believed to have started the week of April 20, 2026, shortly after TeamPCP made a post alluding to threat actor 'identity theft.'
Interestingly, PCPJack contains no cryptomining functionality, which is unusual for cloud cybercrime malware. SentinelLabs suggests this indicates the actor prioritizes quick payoffs through stealing credentials and wallets over long-term resource exploitation. Organizations can mitigate risks by implementing vaults, multifactor authentication, and cloud security best practices to protect their secrets from both PCPJack and TeamPCP.