'PCPJack' Worm Hijacks Compromised Cloud Environments from Rival Hackers
A newly discovered malware framework called PCPJack is systematically purging systems of TeamPCP infections to establish its own credential-harvesting operation.

A sophisticated new malware framework dubbed "PCPJack" has been identified actively purging systems of infections linked to the notorious TeamPCP hacking group, only to replace them with its own malicious infrastructure. First detected in late April, the worm distinguishes itself by automatically scanning for and removing artifacts associated with TeamPCP—a group known for high-profile supply chain attacks—before establishing its own foothold to harvest credentials and propagate further The Register, SecurityWeek.
The infection process begins with a Linux shell script that prepares the environment and initiates a search for TeamPCP-related processes. Once the system is "cleaned," the script creates a Python virtual environment and downloads six modular components from an AWS S3 bucket. These modules handle various tasks, including credential parsing, lateral movement, command-and-control (C&C) communication via Telegram, and cloud scanning. Unlike its predecessor, which relied on human-led campaigns, PCPJack is a self-propagating worm that autonomously seeks out new targets SecurityWeek.
PCPJack targets a wide array of sensitive data, including environment variables, configuration files, SSH keys, cryptocurrency wallets, and tokens for platforms such as AWS, Kubernetes, Docker, GitHub, Slack, and Office 365. SentinelOne researchers noted that the absence of cryptomining modules suggests the threat actor is primarily interested in financial fraud, spam campaigns, or selling access to other criminal entities The Register, SecurityWeek.
The worm spreads by exploiting known vulnerabilities in web applications and services, including CVE-2025-29927 (Next.js), CVE-2025-55182 (React2Shell), CVE-2026-1357 (WPVivid Backup), CVE-2025-9501 (W3 Total Cache), and CVE-2025-48703 (CentOS Web Panel). It further leverages stolen credentials to move laterally across Redis, MongoDB, RayML, and Kubernetes deployments. Additionally, the actor utilizes a secondary toolset featuring Sliver implants to expand its reach into services like Anthropic, Digital Ocean, and Discord SecurityWeek.
While the exact relationship between the two groups remains unconfirmed, researchers suspect that the operator behind PCPJack may be a former member of TeamPCP, given their deep familiarity with the group's specific tooling and operational history. SentinelOne observed that while the framework is highly modular and well-developed, it exhibits occasional operational security lapses, such as failing to encrypt Telegram credentials SecurityWeek.
To mitigate the risk of infection, organizations are urged to secure their cloud platforms and ensure that all services—particularly Docker, Kubernetes, and web applications—are not exposed to the public internet without robust authentication. This incident highlights an emerging trend of "hostile takeovers" within the cybercrime ecosystem, where threat actors actively compete for control over compromised infrastructure The Register.