"The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said.
What PCPJack is and how it operates
SentinelOne researchers disclosed a credential-theft framework named PCPJack that targets exposed cloud infrastructure and aggressively removes artifacts linked to another cluster known as TeamPCP. The campaign is built around a bootstrap shell script that prepares a host, installs Python, downloads six Python modules and an orchestration script, and then deletes the bootstrap script itself. The reported aim of the campaign is financial: operators seek illicit revenue via credential theft, fraud, spam, extortion, or resale of stolen access.
The six Python payloads and orchestration
PCPJack's functionality is split across six Python files and one orchestrator. According to the disclosure, the components are:
- worm.py (written to disk as monitor.py) — the main orchestrator that launches modules, conducts local credential theft, propagates by exploiting known vulnerabilities, and uses Telegram for command-and-control (C2).
- parser.py (utils.py) — handles credential extraction and categorization of stolen keys and secrets.
- lateral.py (_lat.py) — performs reconnaissance and lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB.
- crypto_util.py (_cu.py) — encrypts credentials prior to exfiltration to the attacker's Telegram channel.
- cloud_ranges.py (_cr.py) — collects and refreshes every 24 hours IP address ranges assigned to AWS, Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly.
- cloud_scan.py (_csc.py) — performs cloud port scanning to find externally reachable Docker, Kubernetes, MongoDB, RayML, or Redis services for propagation.
Exploited CVEs, propagation mechanics, and reconnaissance
The orchestrator attempts to spread in a worm-like fashion by exploiting five disclosed vulnerabilities: CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703. Propagation targets are sourced from parquet files pulled directly from Common Crawl. In addition to port scanning, PCPJack maintains a second shell script, check.sh, that detects CPU architecture, fetches an appropriate Sliver binary, and scans Instance Metadata Service endpoints, Kubernetes service accounts, and Docker instances for credentials.
Targets, exfiltration, and the TeamPCP connection
The disclosure lists specific services and platforms the actor probes and collects credentials from: Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI. Exfiltration is routed to attacker-controlled infrastructure and to the operator's Telegram channel after encryption by the toolset. SentinelOne notes a deliberate behavior: PCPJack looks for and evicts TeamPCP artifacts, and the operator records a "PCP replaced" field sent to C2 to indicate whether TeamPCP has been removed from targeted environments. Analysts say PCPJack lacks the cryptocurrency-mining component associated with TeamPCP; the miner functions were deliberately removed, though the reason for that omission is not known.
What this means for cloud operators, developers, and security teams
- Cloud operators and platform teams should note the campaign's explicit focus on cloud service ranges and programmatic discovery: the malware refreshes cloud IP ranges every 24 hours and leverages those ranges to find externally reachable services.
- Developers and DevOps teams are implicated by the targeting list: Kubernetes, Docker, Redis, MongoDB, and RayML are called out as propagation vectors and lateral-movement targets.
- Security teams and incident responders will be interested in the campaign's behavioral fingerprints: a bootstrap installer that removes itself after deploying Python payloads, use of Telegram for C2, active eviction of another actor's artifacts, and a "PCP replaced" telemetry field that reports eviction success back to the attacker.
PCPJack presents a modular, cloud-focused credential-stealing framework that combines automated discovery of cloud address space, targeted port scanning, architectural-aware payload delivery, and encrypted exfiltration to a Telegram channel. It deliberately seeks and removes a predecessor actor's presence, yet it omits a cryptocurrency miner component that TeamPCP used previously. That omission — and the reported overlap with TeamPCP's tradecraft — leaves a pointed question in the record: is PCPJack an evolution of TeamPCP tactics, or the work of a former TeamPCP operator adapting the group's playbook for an exclusively credential-driven business model?




