
PCPJack Cloud Credential Theft Worm Campaign
Indicators of Compromise
APT Groups1
TeamPCP is a financially motivated cybercrime group that emerged in late 2025. They specialize in supply chain attacks on cloud-native ecosystems (GitHub Actions, Docker Hub, npm, PyPI, OpenVSX) to inject credential stealers, deploy ransomware, and perform destructive operations. The group has demonstrated advanced automation, cloud-native tactics, and selective wiper behavior.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Critical Recovery and Hardening Steps for PCPJack-Type Incidents:
1. Immediate Incident Response — Isolate compromised cloud workloads and revoke all exposed credentials immediately. Rotate API keys, SSH keys, database passwords, and SMTP credentials found in .env files or configuration directories. Audit all secrets management systems.
2. Indicator Sweep — Search all cloud environments for PCPJack artifacts: /var/lib/.spm/ directory, /etc/systemd/system/spm-worker.service, /var/tmp/apt-daily-upgrade, harvest.jsonl files, and crontab entries running every 5 minutes.
3. Secrets Management Migration — Move all credentials from .env files, configuration files, and git repositories into enterprise-grade secret management solutions (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). Enforce application access through vault APIs rather than file-based secrets.
4. Cloud Service Hardening — Enforce IMDSv2 on all AWS EC2 instances. Require TLS client certificates for Docker daemon API. Apply Kubernetes RBAC policies limiting service account token scope. Disable unauthenticated endpoints for Redis, MongoDB, and RayML.
5. Vulnerability Patching — Apply emergency patches for CVE-2025-55182 (React/Next.js), CVE-2025-29927 (Next.js), CVE-2026-1357 (WPVivid WordPress), CVE-2025-9501 (W3 Total Cache), and CVE-2025-48703 (CentOS Web Panel) across all affected internet-exposed services.
Detections| Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
|---|---|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access | Monitor web application logs for exploitation patterns targeting CVE-2025-29927 (Next.js header bypass), CVE-2025-55182 (React deserialization), and WordPress plugin CVEs. Alert on unusual server-side code execution following web requests. | Web application firewall logs, Apache/Nginx access logs, application error logs, cloud WAF alerts |
| T1059.006 | Python Script Execution | Execution | Alert on unexpected Python interpreter spawning from web server processes or containerized workloads. Monitor for creation of Python virtual environments in non-standard paths such as /var/lib/.spm/. | Process execution telemetry, EDR behavioral logs, container runtime logs, auditd logs |
| T1543.002 | Systemd Service Creation | Persistence | Monitor for creation of new systemd services particularly sys-monitor.service or spm-worker.service. Alert on services pointing to scripts in /var/lib/.spm/ or /var/tmp/ directories. | Systemd journal logs, auditd file monitoring, EDR persistence detection, SIEM correlation rules |
| T1546.013 | Crontab Modification | Persistence | Alert on crontab modifications adding entries that execute scripts every 5 minutes or on system reboot. Monitor for cron entries referencing /var/lib/.spm/ or /var/tmp/apt-daily-upgrade. | Cron log files (/var/log/cron), auditd syscall monitoring, EDR file integrity monitoring |
| T1552.001 | Credential Harvesting from Files | Credential Access | Monitor for processes mass-reading .env files, SSH private key files, and application configuration files outside normal operational patterns. Alert on bulk file reads by non-application processes targeting /etc/, /home/, /opt/. | EDR file access telemetry, auditd read syscalls, DLP solution alerts, SIEM file access correlation |
| T1552.007 | Container API Credential Theft | Credential Access | Alert on unauthorized Kubernetes service account token usage outside expected namespaces. Monitor AWS IMDS endpoint access from containers that do not require instance metadata. Detect base64 decoding of Kubernetes Secrets via API. | Kubernetes audit logs, AWS CloudTrail IMDS events, container runtime logs, cloud SIEM |
| T1021.004 | SSH Lateral Movement | Lateral Movement | Monitor for SSH connections originating from systems that are not designated jump hosts or bastion servers. Alert on SSH key additions to authorized_keys files on critical systems. | SSH auth logs (auth.log / secure), network flow logs, SIEM lateral movement detection rules |
| T1610 | Malicious Container Deployment | Defense Evasion | Alert on privileged container deployment and host filesystem bind-mounts. Monitor Docker API access from unexpected source IPs. Detect containers launched with --privileged flag or /host volume mounts. | Docker daemon logs, Kubernetes admission controller logs, container runtime security alerts (Falco) |
| T1041 | Telegram C2 Exfiltration | Exfiltration | Monitor for outbound HTTPS connections to api.telegram.org from production systems. Alert on large base64-encoded payloads sent to Telegram endpoints. Detect emoji-prefixed encrypted blobs (lock emoji pattern) in network traffic. | Network flow logs, proxy/NGFW logs, DLP solution alerts, cloud VPC flow logs |
| T1071.001 | HTTP/HTTPS C2 Communication | Command and Control | Alert on connections to cdn[.]cloudfront-js[.]com:8443 and spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com. Monitor for periodic beacon patterns over HTTPS on non-standard ports. | DNS query logs, proxy logs, NGFW connection logs, threat intelligence feed correlation |