Campaigns
PCPJack Cloud Credential Theft Worm Campaign

PCPJack Cloud Credential Theft Worm Campaign

PCPJackTeamPCPPCPCatcloud wormcredential theftKubernetesDockerRedisSliversupply chaincredential harvestingTelegram C2cloud securityPython malwarelateral movementCVE-2025-55182CVE-2025-29927container escapecloud infrastructure attack
PCPJack is a modular cloud worm that propagates across exposed infrastructure like Docker and Kubernetes while actively evicting a rival threat group, TeamPCP. Unlike typical cloud malware, it focuses entirely on harvesting credentials from over 30 enterprise and financial services for monetization through fraud, extortion, or resale. The framework gains initial access by exploiting vulnerabilities like CVE-2025-55182 and CVE-2026-1357, utilizing Python orchestrators and obfuscated Sliver C2 beacons to exfiltrate data via Telegram.

Indicators of Compromise

lastpass-login-help.com
cdn.cloudfront-js.com
spm-cdn-assets-dist-2026.s3.us-east-2.amazonaws.com

APT Groups1

TeamPcp

TeamPCP is a financially motivated cybercrime group that emerged in late 2025. They specialize in supply chain attacks on cloud-native ecosystems (GitHub Actions, Docker Hub, npm, PyPI, OpenVSX) to inject credential stealers, deploy ransomware, and perform destructive operations. The group has demonstrated advanced automation, cloud-native tactics, and selective wiper behavior.

ShellForcePersy_PCPCipherForcePCPcatDeadCatx3team pcp

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Critical Recovery and Hardening Steps for PCPJack-Type Incidents:

1. Immediate Incident Response — Isolate compromised cloud workloads and revoke all exposed credentials immediately. Rotate API keys, SSH keys, database passwords, and SMTP credentials found in .env files or configuration directories. Audit all secrets management systems.

2. Indicator Sweep — Search all cloud environments for PCPJack artifacts: /var/lib/.spm/ directory, /etc/systemd/system/spm-worker.service, /var/tmp/apt-daily-upgrade, harvest.jsonl files, and crontab entries running every 5 minutes.

3. Secrets Management Migration — Move all credentials from .env files, configuration files, and git repositories into enterprise-grade secret management solutions (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). Enforce application access through vault APIs rather than file-based secrets.

4. Cloud Service Hardening — Enforce IMDSv2 on all AWS EC2 instances. Require TLS client certificates for Docker daemon API. Apply Kubernetes RBAC policies limiting service account token scope. Disable unauthenticated endpoints for Redis, MongoDB, and RayML.

5. Vulnerability Patching — Apply emergency patches for CVE-2025-55182 (React/Next.js), CVE-2025-29927 (Next.js), CVE-2026-1357 (WPVivid WordPress), CVE-2025-9501 (W3 Total Cache), and CVE-2025-48703 (CentOS Web Panel) across all affected internet-exposed services.

Detections
Technique ID Technique Name Tactic Detection Method Log Sources
T1190 Exploit Public-Facing Application Initial Access Monitor web application logs for exploitation patterns targeting CVE-2025-29927 (Next.js header bypass), CVE-2025-55182 (React deserialization), and WordPress plugin CVEs. Alert on unusual server-side code execution following web requests. Web application firewall logs, Apache/Nginx access logs, application error logs, cloud WAF alerts
T1059.006 Python Script Execution Execution Alert on unexpected Python interpreter spawning from web server processes or containerized workloads. Monitor for creation of Python virtual environments in non-standard paths such as /var/lib/.spm/. Process execution telemetry, EDR behavioral logs, container runtime logs, auditd logs
T1543.002 Systemd Service Creation Persistence Monitor for creation of new systemd services particularly sys-monitor.service or spm-worker.service. Alert on services pointing to scripts in /var/lib/.spm/ or /var/tmp/ directories. Systemd journal logs, auditd file monitoring, EDR persistence detection, SIEM correlation rules
T1546.013 Crontab Modification Persistence Alert on crontab modifications adding entries that execute scripts every 5 minutes or on system reboot. Monitor for cron entries referencing /var/lib/.spm/ or /var/tmp/apt-daily-upgrade. Cron log files (/var/log/cron), auditd syscall monitoring, EDR file integrity monitoring
T1552.001 Credential Harvesting from Files Credential Access Monitor for processes mass-reading .env files, SSH private key files, and application configuration files outside normal operational patterns. Alert on bulk file reads by non-application processes targeting /etc/, /home/, /opt/. EDR file access telemetry, auditd read syscalls, DLP solution alerts, SIEM file access correlation
T1552.007 Container API Credential Theft Credential Access Alert on unauthorized Kubernetes service account token usage outside expected namespaces. Monitor AWS IMDS endpoint access from containers that do not require instance metadata. Detect base64 decoding of Kubernetes Secrets via API. Kubernetes audit logs, AWS CloudTrail IMDS events, container runtime logs, cloud SIEM
T1021.004 SSH Lateral Movement Lateral Movement Monitor for SSH connections originating from systems that are not designated jump hosts or bastion servers. Alert on SSH key additions to authorized_keys files on critical systems. SSH auth logs (auth.log / secure), network flow logs, SIEM lateral movement detection rules
T1610 Malicious Container Deployment Defense Evasion Alert on privileged container deployment and host filesystem bind-mounts. Monitor Docker API access from unexpected source IPs. Detect containers launched with --privileged flag or /host volume mounts. Docker daemon logs, Kubernetes admission controller logs, container runtime security alerts (Falco)
T1041 Telegram C2 Exfiltration Exfiltration Monitor for outbound HTTPS connections to api.telegram.org from production systems. Alert on large base64-encoded payloads sent to Telegram endpoints. Detect emoji-prefixed encrypted blobs (lock emoji pattern) in network traffic. Network flow logs, proxy/NGFW logs, DLP solution alerts, cloud VPC flow logs
T1071.001 HTTP/HTTPS C2 Communication Command and Control Alert on connections to cdn[.]cloudfront-js[.]com:8443 and spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com. Monitor for periodic beacon patterns over HTTPS on non-standard ports. DNS query logs, proxy logs, NGFW connection logs, threat intelligence feed correlation

Observed Countries250

AD (255)
AE (709)
AF (547)
AG (559)
AI (860)
AL (97)
AM (645)
AO (674)
AQ (997)
AR (228)
AS (630)
AT (548)
AU (263)
AW (966)
AX (714)
AZ (630)
BA (341)
BB (839)
BD (678)
BE (947)
BF (235)
BG (164)
BH (869)
BI (105)
BJ (31)
BL (41)
BM (518)
BN (639)
BO (654)
BQ (501)
BR (100)
BS (98)
BT (976)
BV (36)
BW (734)
BY (71)
BZ (10)
CA (950)
CC (931)
CD (91)
CF (489)
CG (225)
CH (346)
CI (996)
CK (98)
CL (857)
CM (698)
CN (368)
CO (449)
CR (303)
CU (236)
CV (782)
CW (198)
CX (388)
CY (415)
CZ (355)
DE (929)
DJ (169)
DK (653)
DM (282)
DO (165)
DZ (178)
EC (346)
EE (562)
EG (90)
EH (527)
ER (279)
ES (183)
ET (305)
FI (232)
FJ (754)
FK (873)
FM (247)
FO (428)
FR (835)
GA (159)
GB (507)
GD (326)
GE (568)
GF (385)
GG (804)
GH (580)
GI (624)
GL (243)
GM (363)
GN (493)
GP (315)
GQ (146)
GR (179)
GS (62)
GT (699)
GU (679)
GW (370)
GY (576)
HK (113)
HM (751)
HN (828)
HR (91)
HT (445)
HU (955)
ID (673)
IE (188)
IL (208)
IM (381)
IN (271)
IO (475)
IQ (423)
IR (992)
IS (634)
IT (137)
JE (455)
JM (3)
JO (33)
JP (64)
KE (274)
KG (785)
KH (601)
KI (850)
KM (451)
KN (46)
KP (596)
KR (618)
KW (307)
KY (554)
KZ (306)
LA (53)
LB (348)
LC (178)
LI (230)
LK (914)
LR (679)
LS (916)
LT (48)
LU (263)
LV (685)
LY (850)
MA (799)
MC (670)
MD (455)
ME (713)
MF (813)
MG (232)
MH (267)
MK (717)
ML (402)
MM (281)
MN (106)
MO (783)
MP (768)
MQ (374)
MR (473)
MS (659)
MT (94)
MU (624)
MV (483)
MW (914)
MX (921)
MY (456)
MZ (55)
NA (225)
NC (3)
NE (646)
NF (335)
NG (93)
NI (629)
NL (106)
NO (352)
NP (231)
NR (579)
NU (381)
NZ (986)
OM (723)
PA (43)
PE (807)
PF (860)
PG (44)
PH (250)
PK (271)
PL (331)
PM (933)
PN (23)
PR (835)
PS (745)
PT (60)
PW (360)
PY (207)
QA (352)
RE (229)
RO (563)
RS (51)
RU (597)
RW (882)
SA (118)
SB (837)
SC (426)
SD (58)
SE (238)
SG (293)
SH (701)
SI (721)
SJ (256)
SK (88)
SL (83)
SM (867)
SN (711)
SO (199)
SR (337)
SS (924)
ST (760)
SV (495)
SX (613)
SY (398)
SZ (494)
TC (636)
TD (93)
TF (520)
TG (314)
TH (623)
TJ (339)
TK (24)
TL (612)
TM (156)
TN (63)
TO (785)
TR (55)
TT (94)
TV (335)
TW (179)
TZ (143)
UA (718)
UG (797)
UM (582)
US (213)
UY (995)
UZ (687)
VA (876)
VC (720)
VE (953)
VG (851)
VI (401)
VN (393)
VU (282)
WF (875)
WS (180)
XK (416)
YE (169)
YT (942)
ZA (134)
ZM (93)
ZW (318)