top of page

PCPJack Cloud Worm: Exploiting 5 CVEs to Steal Credentials and Spread Across Systems

  • May 7
  • 3 min read

Key Findings


  • PCPJack is a credential theft framework targeting exposed cloud infrastructure across Docker, Kubernetes, Redis, MongoDB, and RayML

  • The malware exploits five CVEs (CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, CVE-2025-48703) to spread worm-like across networks

  • PCPJack actively removes TeamPCP artifacts from compromised systems, suggesting possible connection to former TeamPCP members

  • Stolen credentials are exfiltrated via Telegram and include access to AWS, Google Cloud, Azure, and developer services

  • The toolset uses Common Crawl datasets to identify propagation targets and harvests credentials from financial services, productivity tools, and cloud platforms


Background


PCPJack emerged as a sophisticated threat targeting cloud environments with similar tactics to TeamPCP, a threat actor that gained attention last year by exploiting cloud misconfigurations. However, PCPJack differs in its approach and objectives. While TeamPCP integrated cryptocurrency mining into its operations, PCPJack deliberately excludes this component and instead focuses purely on credential harvesting. The deliberate removal of TeamPCP artifacts from infected systems suggests the operators may have insider knowledge of the previous group's infrastructure and methods.


Attack Mechanism and Deployment


The attack begins with a bootstrap shell script that prepares the environment for infection. This initial script handles multiple functions including payload configuration, downloading next-stage tools, installing Python, establishing persistence, and removing itself to avoid detection. The script simultaneously works to eliminate any trace of TeamPCP presence on the system.


Following deployment, six Python scripts are downloaded and executed. The worm.py orchestrator serves as the main controller, launching other modules and exploiting the five known CVEs to propagate to additional hosts. This modular approach allows the attackers to update individual components without redeploying the entire framework.


Credential Harvesting Capabilities


PCPJack targets a wide range of credentials across multiple service categories. The parser.py module extracts and categorizes stolen keys and secrets from cloud services, container platforms, developer tools, and financial services. The threat actors specifically hunt for credentials associated with Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI.


The lateral.py script enables movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services. This lateral movement capability allows attackers to deepen their access within compromised networks and reach additional credential repositories.


Propagation and Scanning Strategy


PCPJack uses an automated scanning approach powered by the cloud_scan.py module, which identifies targets through cloud port scanning for Docker, Kubernetes, MongoDB, RayML, and Redis services. Notably, the threat actors source their target lists from Common Crawl, a public web archive that provides datasets for researchers and attackers alike.


The cloud_ranges.py module maintains an updated database of IP address ranges belonging to major cloud providers including AWS, Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly. This information is refreshed every 24 hours to ensure targeting accuracy.


Infrastructure and Command and Control


Communications between PCPJack and its operators flow through Telegram, using the platform's encrypted channels for command and control. Before exfiltration, the crypto_util.py module encrypts stolen credentials using encryption before transmission to the attacker's Telegram channels.


A secondary shell script called check.sh handles additional reconnaissance by detecting CPU architecture, fetching appropriate Sliver binaries, and scanning Instance Metadata Service endpoints and Kubernetes service accounts for additional credential opportunities.


Operational Indicators and Attribution


The threat actors track metrics on their success, including a "PCP replaced" field in exfiltration data that specifically measures whether TeamPCP has been successfully removed from targeted environments. This tracking mechanism demonstrates a focused campaign against specific competitors rather than opportunistic cloud attacks.


The sophistication of PCPJack's codebase and its deliberate targeting of TeamPCP infrastructure suggests the operators possess detailed knowledge of the previous group's operations. Security researchers assess this could indicate former TeamPCP members operating independently, though the exact nature of the relationship remains unclear.


Sources


  • https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html

  • https://www.socdefenders.ai/item/af0ed9ea-446e-4fa6-9e27-ef10ebb68df1

  • https://www.reddit.com/r/SecOpsDaily/comments/1t6k60v/pcpjack_credential_stealer_exploits_5_cves_to/

  • https://x.com/TheHackersNews/status/2052445216834191841

  • https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page