
PCPJack Cloud Credential Theft Worm Campaign
PCPJack is a modular cloud worm that propagates across exposed infrastructure like Docker and Kubernetes while actively evicting a rival threat group, TeamPCP. Unlike typical cloud malware, it focuses entirely on harvesting credentials from over 30 enterprise and financial services for monetization through fraud, extortion, or resale. The framework gains initial access by exploiting vulnerabilities like CVE-2025-55182 and CVE-2026-1357, utilizing Python orchestrators and obfuscated Sliver C2 beacons to exfiltrate data via Telegram.
Indicators of Compromise
Domains (3)
lastpass-login-help.comcdn.cloudfront-js.comspm-cdn-assets-dist-2026.s3.us-east-2.amazonaws.comHashes (12)
848ef1f638807826586802428a7ebafdc710915c6060da100b5cd587131a1c11a20d6e0108604744c2dd8051d89c4efa71bd67d2df7d9b4bc3e678102cd2c5268e41cdece1b0506bcda3b9eba2998119005587975a483876c1fa26b64b418931019be38ffed52a4bbac7b5b6ae4f76cab3eadd67e79227e301cebc48016395e284ac76afc1816f143ee3e7b69c7ab48c9fdbbeecdad8433529bdab38584f0e25a20a9924d92c2b06d82b79c0fe87451c650cabec339cbf61c80f757085c5afb7304d69f323bdf87a2fab324eb0d927846c8744dc0e217beea65138e00b86434ca5145636d745222f7e49c903ce6ef538IPv4 (11)
161.97.187.4238.242.204.245213.136.80.73161.97.186.17538.242.237.19683.171.249.231161.97.163.87161.97.135.15438.242.245.147193.187.129.143161.97.129.25APT Groups
TeamPcp
Notes
<div class="content-body"><span class="content-title">CONCLUSION</span><p class="content-description">PCPJack represents a significant evolution in cloud-focused threat actor tactics, departing from the ubiquitous cryptomining approach seen in virtually all previous cloud attack campaigns. By focusing exclusively on credential harvesting across financial, messaging, enterprise, and developer services, the actor demonstrates a clear understanding of the higher long-term monetization value of stolen cloud credentials compared to cryptocurrency mining revenue. The inclusion of enterprise productivity services such as Slack and OpenAI API keys expands the attack surface to corporate espionage and extortion scenarios.</p><p class="content-description">The deliberate targeting of TeamPCP artifacts adds a competitive dimension to the cloud threat landscape, where criminal groups actively compete to maintain exclusive access to compromised infrastructure. The use of Telegram for C2 — a technique increasingly common among cloud threat actors — combined with asymmetric encryption using X25519/ChaCha20-Poly1305 demonstrates above-average operational security sophistication. The partial operational security failures (exposed Telegram bot token, unencrypted decryption keys) suggest a capable but not elite threat actor, possibly a former TeamPCP operator with deep knowledge of the group's tooling.</p><p class="content-description">Organizations operating cloud infrastructure must prioritize credential hygiene as the primary defensive investment against PCPJack and similar frameworks. The attack's propagation mechanism — leveraging Common Crawl web scan data to discover new targets — enables the worm to scale across millions of hosts without centralized coordination. SOCRadar's Attack Surface Management and IOC Radar capabilities provide essential visibility into exposed cloud service endpoints and active PCPJack infrastructure indicators, enabling early detection before credential exfiltration occurs.</p></div>
Mitigation
<div> <a href="https://attack.mitre.org/">REF</a> <table> <thead> <tr> <th>Technique ID</th> <th>Technique Name</th> <th>Tactic</th> <th>Mitigation ID</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>T1190</td> <td>Exploit Public-Facing Application</td> <td>Initial Access</td> <td>M1051</td> <td>Vulnerability Management — Apply patches for CVE-2025-29927, CVE-2025-55182, CVE-2026-1357, CVE-2025-9501, CVE-2025-48703 immediately. Implement a vulnerability management program prioritizing internet-exposed services.</td> </tr> <tr> <td>T1059.006</td> <td>Command and Scripting Interpreter: Python</td> <td>Execution</td> <td>M1038</td> <td>Execution Prevention — Use application allow-listing to prevent execution of unauthorized Python scripts. Monitor for unexpected Python interpreter invocations in cloud environments.</td> </tr> <tr> <td>T1059.004</td> <td>Command and Scripting Interpreter: Unix Shell</td> <td>Execution</td> <td>M1038</td> <td>Execution Prevention — Restrict shell execution in container environments. Use container security policies to block unauthorized shell commands.</td> </tr> <tr> <td>T1543.002</td> <td>Create or Modify System Process: Systemd Service</td> <td>Persistence</td> <td>M1018</td> <td>User Account Management — Restrict permissions to create systemd services to privileged users only. Monitor for unauthorized service creation events.</td> </tr> <tr> <td>T1546.013</td> <td>Event Triggered Execution: Component Object Model Hijacking</td> <td>Persistence</td> <td>M1022</td> <td>Restrict File and Directory Permissions — Restrict crontab modification access. Monitor cron entries for unauthorized additions particularly targeting cloud workloads.</td> </tr> <tr> <td>T1552.001</td> <td>Unsecured Credentials: Credentials in Files</td> <td>Credential Access</td> <td>M1017</td> <td>User Training — Train developers to avoid storing credentials in .env files, config files, or git repositories. Use secret management vaults (HashiCorp Vault, AWS Secrets Manager) for all credentials.</td> </tr> <tr> <td>T1552.007</td> <td>Unsecured Credentials: Container API</td> <td>Credential Access</td> <td>M1026</td> <td>Privileged Account Management — Enforce IMDSv2 on all AWS environments to prevent IMDS credential theft. Restrict Kubernetes service account token scopes using RBAC principles of least privilege.</td> </tr> <tr> <td>T1021.004</td> <td>Remote Services: SSH</td> <td>Lateral Movement</td> <td>M1042</td> <td>Disable or Remove Feature or Program — Disable SSH where not required. Enforce key-based SSH authentication and restrict access to known hosts. Monitor for SSH connections to unexpected hosts.</td> </tr> <tr> <td>T1610</td> <td>Deploy Container</td> <td>Defense Evasion</td> <td>M1047</td> <td>Audit — Audit Docker socket exposure and disable unauthenticated Docker API access. Require TLS authentication for all Docker daemon connections.</td> </tr> <tr> <td>T1613</td> <td>Container and Resource Discovery</td> <td>Discovery</td> <td>M1035</td> <td>Limit Access to Resource Over Network — Restrict access to Kubernetes management APIs. Disable unauthenticated API endpoints. Implement network policies limiting pod-to-pod communication.</td> </tr> <tr> <td>T1041</td> <td>Exfiltration Over C2 Channel</td> <td>Exfiltration</td> <td>M1057</td> <td>Data Loss Prevention — Monitor for outbound Telegram API connections from production systems. Implement egress filtering blocking unauthorized C2 channels. Alert on encrypted blob exfiltration patterns.</td> </tr> </tbody> </table> </div>