PCPPJack Credential Stealer Exploits 5 CVEs to Spread Like a Worm Across Cloud Systems
Cybersecurity researchers have revealed details of a new theft-proofing framework called PCPCJack which targets the cloud infrastructure and deploys any artifacts connected to TeamPCP on premises.
“The toolset harvests data from cloud, container, developer, manufacturing, and financial services, and then exfiltrates data through attacker-controlled infrastructure while attempting to spread to additional hosts,” said SentinelOne security researcher Alex Delamotte in a report published today.
PCPJack is specifically designed to target cloud services such as Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, allowing operators to spread in a worm-like manner, and bypass vulnerable networks.
It is assessed that the ultimate goal of a cloud attack campaign is to generate illegal revenue for threat actors through identity theft, fraud, spam, fraud, or resale of stolen access. I
What makes this operation notable is that it shares significant target overlap with TeamPCP, a threat actor that came to light late last year by exploiting known security vulnerabilities (eg, React2Shell) and vulnerabilities in cloud services to plug endpoints into an ever-expanding network for data theft and other post-exploitation activities.
At the same time, PCPPJack does not have a cryptocurrency mining component, unlike TeamPCP. Although it is not known why this obvious money-making strategy was not adopted, the similarities between the two sets indicate that PCPPJack could be the work of a former TeamPCP member who knows the art of the team.
The beginning of the attack is a bootstrap shell script used to configure the environment – such as setting up a payload host – and download tools for the next stage, while at the same time taking steps to infect its infrastructure, stop and remove processes or artifacts associated with TeamPCP, install Python, establish persistence, download six Python, run the script, or the chest itself.
The six payments for Python are as follows:
- worm.py (written to disk as monitor.py), the main orchestrator that launches the purpose-built modules, conducts local credential theft, propagates the toolset to other hosts by exploiting known flaws (CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703), and uses Telegram control and control (C2)
- attacker.py (utils.py), to handle authentication issues to separate stolen keys and secrets
- lateral.py (_lat.py), to facilitate recovery, harvest secrets, and enable joint movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services
- crypto_util.py (_cu.py), to encrypt information before being released to the attacker’s Telegram channel
- cloud_ranges.py (_cr.py), collect a range of IP addresses provided by Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly, and refresh the data every 24 hours
- cloud_scan.py (_csc.py), to use cloud port scanning to stream out via Docker, Kubernetes, MongoDB, RayML, or Redis services
The orchestrator script’s spread targets come from parquet files that the worm pulls directly from Common Crawl, a non-profit organization that crawls the web and provides its archives and datasets to the public at no additional cost.
“When filtering system information and credentials, the PCPCe operator even collects success metrics on whether TeamPCP has been removed from target locations in the ‘changed PCP’ environment sent to C2,” Delamotte said. This “means a more specific focus on the activities of a threat actor than on the pure opportunity of a cloud attack.”
Further analysis of the threat actor’s infrastructure revealed another shell script (“check.sh”) that detects the CPU architecture and downloads the appropriate Sliver binary. It also scans Instance Metadata Service (IMDS) repositories, Kubernetes service accounts, and Docker instances for credentials associated with Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI, and sends them to an external server.
“Overall, the two tools are well developed and show that the owner appreciates coding as a modular framework, despite not being required in practice,” SentinelOne said. “This campaign does not have it [deploy miners]and intentionally removes miner jobs associated with TeamPCP. In addition, this actor has well-defined plans to extract cryptocurrency information. “
