“Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025, before the high-visibility campaigns of early 2026 brought significant attention to TeamPCP and purportedly led to changes in group membership,” SentinelLabs researchers write — and that similarity is the clearest clue in a fresh, troubling malware campaign.
What PCPJack does on infected cloud hosts
SentinelLabs describes PCPJack as a malware framework that infects Linux-based cloud systems with a shell script named bootstrap.sh. Once executed, bootstrap.sh creates a hidden working directory, installs Python dependencies, downloads additional modules, establishes persistence, and launches the main orchestrator, monitor.py. During this initial phase PCPJack explicitly searches for TeamPCP tooling and attempts to delete it — removing processes, services, containers, files, and persistence artifacts — before continuing its own activity.
Credential theft, exfiltration mechanics, and targets
PCPJack’s core aim is large-scale credential theft. The framework hunts for secrets across cloud and developer environments: SSH keys, database credentials, cloud provider credentials (including DigitalOcean), Slack tokens, WordPress configuration files, OpenAI and Anthropic API keys, Discord tokens, messenger apps, and financial-service credentials. Stolen data are encrypted with X25519 ECDH and ChaCha20-Poly1305, then split into 2,800-byte chunks so they can be posted to Telegram channels within Telegram’s message character limits.
Propagation, lateral movement, and persistence techniques
Propagation begins with scanning exposed cloud infrastructure — the researchers list Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications as common targets — and attempting to exploit known weaknesses to gain initial access. PCPJack also harvests hostname data from Common Crawl parquet files to seed new scanning targets. Inside compromised environments the malware performs lateral movement by harvesting SSH keys and credentials, enumerating Kubernetes clusters and Docker daemons, and executing itself on reachable internal hosts. Persistence mechanisms observed include systemd services, cron jobs, Redis cron rewrites, and privileged containers.
Vulnerabilities PCPJack is exploiting
- CVE-2025-29927 — authentication bypass in Next.js middleware via a crafted header
- CVE-2025-55182 (“React2Shell”) — Server Actions deserialization flaw in React and Next.js
- CVE-2026-1357 — unauthenticated file upload in WPVivid Backup
- CVE-2025-9501 — PHP injection in W3 Total Cache via cached mfunc comment
- CVE-2025-48703 — shell injection in CentOS Web Panel Filemanager changePerm functionality
SentinelLabs reports that PCPJack leverages these vulnerabilities among others when scanning and attempting to exploit exposed services.
TeamPCP connection, attribution, and infrastructure findings
SentinelLabs highlights behavioral overlap between PCPJack and earlier TeamPCP campaigns, and suggests PCPJack may have been developed by a former TeamPCP affiliate or member. “We believe this could be a former operator who is deeply familiar with the group’s tooling,” the researchers write. The report notes TeamPCP is a cloud-focused threat group previously tied to supply-chain compromises involving Aqua Security’s Trivy scanner, the LiteLMM and Telnyx PyPI packages, and SAP npm packages. On the attacker infrastructure side, SentinelLabs found a Sliver-based backdoor with builds for x86_64, x86, and ARM architectures.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: review exposed service configurations for Docker and Kubernetes, inventory and rotate secrets (including API keys and SSH keys), and scan for the bootstrap.sh/monitor.py artifacts and unusual systemd or cron persistence entries.
- Procurement and platform owners: scrutinize dependencies and supply-chain vectors — the report’s linkage to TeamPCP underscores that supply-chain compromises remain a serviceable avenue for credential theft and lateral movement.
- End users and application owners: ensure secrets are not stored in plaintext in repositories or config files and confirm MFA is enforced where available, since stolen credentials are the primary commodity PCPJack seeks.
SentinelLabs closes with concrete mitigation guidance: enforce multi-factor authentication, adopt IMDSv2 for AWS instances, require proper authentication for Docker and Kubernetes services, apply least-privilege principles, and avoid storing secrets in plaintext. Those steps address the specific collection and propagation techniques PCPJack uses, and they are the immediate, actionable defenses the researchers recommend.
PCPJack combines automated scanning of exposed services, exploitation of multiple recent CVEs, lateral movement inside compromised cloud environments, and an auditable step of cleaning competing malware — a behavior that both helps operators control access and creates a signature that linked the framework to TeamPCP’s earlier activity. Whether that connection represents shared tooling, personnel turnover, or a deliberate effort at misdirection, SentinelLabs’ findings make one fact clear: attackers continue to specialise in stealing the credentials that unlock cloud value and then monetize or resell them — and defenders have specific, narrowly targeted controls they can apply today.
Source: New PCPJack worm steals credentials, cleans TeamPCP infections — BleepingComputer
