PCPJack Cloud Worm: Exploiting 5 CVEs to Steal Credentials and Spread Across Systems
- May 7
- 3 min read
Key Findings
PCPJack is a credential theft framework targeting exposed cloud infrastructure across Docker, Kubernetes, Redis, MongoDB, and RayML
The malware exploits five CVEs (CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, CVE-2025-48703) to spread worm-like across networks
PCPJack actively removes TeamPCP artifacts from compromised systems, suggesting possible connection to former TeamPCP members
Stolen credentials are exfiltrated via Telegram and include access to AWS, Google Cloud, Azure, and developer services
The toolset uses Common Crawl datasets to identify propagation targets and harvests credentials from financial services, productivity tools, and cloud platforms
Background
PCPJack emerged as a sophisticated threat targeting cloud environments with similar tactics to TeamPCP, a threat actor that gained attention last year by exploiting cloud misconfigurations. However, PCPJack differs in its approach and objectives. While TeamPCP integrated cryptocurrency mining into its operations, PCPJack deliberately excludes this component and instead focuses purely on credential harvesting. The deliberate removal of TeamPCP artifacts from infected systems suggests the operators may have insider knowledge of the previous group's infrastructure and methods.
Attack Mechanism and Deployment
The attack begins with a bootstrap shell script that prepares the environment for infection. This initial script handles multiple functions including payload configuration, downloading next-stage tools, installing Python, establishing persistence, and removing itself to avoid detection. The script simultaneously works to eliminate any trace of TeamPCP presence on the system.
Following deployment, six Python scripts are downloaded and executed. The worm.py orchestrator serves as the main controller, launching other modules and exploiting the five known CVEs to propagate to additional hosts. This modular approach allows the attackers to update individual components without redeploying the entire framework.
Credential Harvesting Capabilities
PCPJack targets a wide range of credentials across multiple service categories. The parser.py module extracts and categorizes stolen keys and secrets from cloud services, container platforms, developer tools, and financial services. The threat actors specifically hunt for credentials associated with Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI.
The lateral.py script enables movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services. This lateral movement capability allows attackers to deepen their access within compromised networks and reach additional credential repositories.
Propagation and Scanning Strategy
PCPJack uses an automated scanning approach powered by the cloud_scan.py module, which identifies targets through cloud port scanning for Docker, Kubernetes, MongoDB, RayML, and Redis services. Notably, the threat actors source their target lists from Common Crawl, a public web archive that provides datasets for researchers and attackers alike.
The cloud_ranges.py module maintains an updated database of IP address ranges belonging to major cloud providers including AWS, Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly. This information is refreshed every 24 hours to ensure targeting accuracy.
Infrastructure and Command and Control
Communications between PCPJack and its operators flow through Telegram, using the platform's encrypted channels for command and control. Before exfiltration, the crypto_util.py module encrypts stolen credentials using encryption before transmission to the attacker's Telegram channels.
A secondary shell script called check.sh handles additional reconnaissance by detecting CPU architecture, fetching appropriate Sliver binaries, and scanning Instance Metadata Service endpoints and Kubernetes service accounts for additional credential opportunities.
Operational Indicators and Attribution
The threat actors track metrics on their success, including a "PCP replaced" field in exfiltration data that specifically measures whether TeamPCP has been successfully removed from targeted environments. This tracking mechanism demonstrates a focused campaign against specific competitors rather than opportunistic cloud attacks.
The sophistication of PCPJack's codebase and its deliberate targeting of TeamPCP infrastructure suggests the operators possess detailed knowledge of the previous group's operations. Security researchers assess this could indicate former TeamPCP members operating independently, though the exact nature of the relationship remains unclear.
Sources
https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html
https://www.socdefenders.ai/item/af0ed9ea-446e-4fa6-9e27-ef10ebb68df1
https://www.reddit.com/r/SecOpsDaily/comments/1t6k60v/pcpjack_credential_stealer_exploits_5_cves_to/
https://x.com/TheHackersNews/status/2052445216834191841
https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/

Comments