[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8WA1ipC2KLWLg9aarLvoJoXtSPUkL1FpDWBUKtZ4JyM":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"821970be-9f1c-4fc2-aba0-1a9e6fb7a766","PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale","pcpjack-cloud-worm-evicts-teampcp-and-steals-credentials-at-scale-5895bb","Cloud attack framework skips cryptomining, harvests financial, messaging, and enterprise credentials for fraud, spam, and potential extortion.","SentinelLABS identified PCPJack, a credential theft framework that propagates across exposed cloud services (Docker, Kubernetes, Redis, MongoDB) and removes TeamPCP artifacts while exfiltrating credentials from financial, messaging, and enterprise applications. The toolset uses a bootstrap script to deploy Python-based worm modules for credential parsing, lateral movement, and C2 communication, with monetization likely through fraud, spam, and extortion rather than cryptomining. Analysis suggests the operator may be a former TeamPCP member leveraging familiarity with the group's infrastructure targeting strategies from late 2025.","PCPJack cloud worm evicts TeamPCP artifacts and harvests credentials from exposed infrastructure.","Crimeware PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale Alex Delamotte \u002F May 7, 2026 Executive Summary SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP, a threat actor persona who claimed several high-profile supply chain intrusions throughout early 2026. The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts. PCPJack targets exposed services including Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, enabling both external propagation and lateral movement inside victim environments. Unlike typical cloud-focused malware, PCPJack does not deploy cryptominers; the services it targets suggest monetization through credential theft, fraud, spam, extortion, or resale of stolen access. Overview On 28 April 2026, SentinelLABS located a script through a Kubernetes-focused VirusTotal hunting rule that stood out from known cloud hacktools: the script’s first actions are to evict and delete tools associated with the TeamPCP attack group, leading us to call the toolset PCPJack. Analyzing this script led us to discover a full framework dedicated to cloud credential harvesting and propagating onto other systems, both internal and external to the victim’s environment. TeamPCP stood out in early 2026 following the group’s February compromise of Aqua Security’s Trivy vulnerability scanner. The incident enabled several downstream attacks, including the compromise of LiteLLM, an open-source library that routes requests across widely used LLM providers. TeamPCP also announced a partnership with the VECT ransomware group to monetize the data stolen through their cloud environment attacks. Many of the services targeted by the PCPJack framework are similar to the early TeamPCP\u002FPCPCat campaigns from December 2025, before the high-visibility campaigns of early 2026 brought significant attention to TeamPCP and purportedly led to changes in group membership. We believe this could be a former operator who is deeply familiar with the group’s tooling. The types of credentials collected by the framework suggest PCPJack’s targeting motivations are primarily to conduct spam campaigns and financial fraud, or to simply monetize stolen credentials to actors with these focuses. The inclusion of enterprise productivity software like Slack and business database services expands the focus to extortion attacks. Notably, neither of the two toolsets we identified from the attacker’s staging server performed any cryptocurrency mining, a stark departure from typical multi-disciplinary cloud attack campaigns. First Toolset | bootstrap.sh & Python Worms The infection begins with bootstrap.sh, a shell script designed for Linux systems. This script serves only to set up the environment and download additional payloads. bootstrap.sh sets several key variables, including PAYLOAD_HOST, which is set to hxxps:\u002F\u002Fspm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com, a legitimate Amazon Simple Storage Service (S3) resource that was likely registered by the attacker for unauthorized purposes. Beginning of bootstrap.sh, the dropper script The main functionality of bootstrap.sh is: Create \u002Fvar\u002Flib\u002F.spm\u002F working directory Check public IP against operator’s blocklist: this prevents the attacker from infecting their own infrastructure Find and remove processes or artifacts that match naming conventions referencing TeamPCP or PCPcat process list, services, paths, or containers Install Python 3.6+ via available package manager: apk, apt, dnf, pacman, yum or zypper Create a Python virtual environment and install requests, cryptography, and pyarrow Download six Python modules from the attacker’s S3 URL in the following order: worm.py, parser.py, lateral.py, crypto_util.py, cloud_ranges.py, cloud_scan.py Rename modules to their on-disk names (see the list of downloaded payloads below) Establish persistence: If run as root: create sys-monitor.service, which runs monitor.py, aka worm.py, an orchestrator script If not root, create two crontabs: one runs every 5 minutes to check if monitor.py is running, the other starts monitor.py if it is not running Launch monitor.py Self delete using rm -f \"$0\" bootstrap.sh rival process and artifact removal The following table itemises the downloaded payloads: S3 filename On-disk name Role worm.py monitor.py Main orchestrator parser.py utils.py Credential parsing engine lateral.py _lat.py Lateral movement crypto_util.py _cu.py Exfiltrated data encryption cloud_ranges.py _cr.py Cloud IP CIDR database cloud_scan.py _csc.py Cloud port scanner The logic targeting TeamPCP files stands out: each of the artifacts has been associated with TeamPCP in public reporting, though BORING_SYSTEM is mentioned only sparsely. We initially considered that this toolset could be a researcher removing TeamPCP’s infections. However, analysis of the later-stage payloads indicates otherwise. When exfiltrating system information and credentials, the PCPJack operator even collects success metrics on whether TeamPCP has been evicted from targeted environments in a “PCP replaced” field sent to the C2. List of information sent to the attacker by monitor.py Infection Flow The infection begins with bootstrap.sh, which executes the orchestrator script, monitor.py (aka worm.py). The orchestrator imports a set of purpose-built modules for credential parsing (utils.py), lateral movement (_lat.py), C2 message encryption (_cu.py), cloud IP range lookups (_cr.py), and cloud scanning (_csc.py). Rather than let the modules find their own dependencies, the orchestrator injects them at runtime with shared references, ensuring all components operate with the same credential and movement handles without hardcoding inter-module imports. The scanning module, _csc.py, receives the lateral movement engine, the cloud range lookup function, and the credential parser all via injection from the worm. This design keeps each module independently minimal while the orchestrator alone holds the full dependency graph, making the framework harder to analyze in isolation. No single imported file reveals the complete picture without visibility into monitor.py. Sensitive strings are stored in the source code as a hex-encoded blob instead of clear text. When a script runs, it obtains the actual value by calling function _d(), which is near the top of each Python module, against the encoded hex string containing the sensitive content. The function decrypts it by XORing each byte against the MD5 hash of the string urllib3.poolmanager, a name chosen to look like a reference to a common Python web library. PCPJack’s author encrypted the constants that would immediately identify the malware’s infrastructure. Despite this, the actor failed to encrypt the Telegram bot token in bootstrap.sh and the credential decryption key in crypto_util.py, so the operational security awareness only goes so far. The _d function is used to XOR decrypt sensitive constants monitor.py | Orchestrator Script The monitor.py script, which was hosted on the attacker’s staging server as worm.py and had persistence established by bootstrap.sh, is the main script driving the toolset. The script starts with logic designed to make the script appear like a benign system monitoring utility that collects metrics about the system. While this is valuable information for the attacker, we believe it is an attempt to help the script blend in if spotted by an administrator, given that the posted information also includes data about the types of systems being targeted by the toolset. Early functions in monitor.py Local Credential Theft On each compromised host, monitor.py executes a shell pipeline that steals: .env files and config files Environment variables filtere","https:\u002F\u002Fs1.ai\u002Fpcpjack","https:\u002F\u002Fwww.sentinelone.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fteampcp-pcpjacked.jpg","2026-05-07T16:54:44+00:00","2026-05-07T17:00:08.265+00:00",9,[18,21,23,25,28,31],{"name":19,"type":20},"PCPJack","threat_actor",{"name":22,"type":20},"TeamPCP",{"name":24,"type":20},"VECT",{"name":26,"type":27},"SentinelLABS","vendor",{"name":29,"type":30},"Aqua Security Trivy","product",{"name":32,"type":30},"LiteLLM","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[55,59,61,64],{"type":56,"value":57,"context":58},"url","hxxps:\u002F\u002Fspm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com","Attacker-controlled AWS S3 bucket hosting PCPJack payload downloads (worm.py, parser.py, lateral.py, etc.)",{"type":37,"value":19,"context":60},"Cloud credential theft framework and worm propagating across exposed cloud infrastructure",{"type":37,"value":62,"context":63},"bootstrap.sh","Initial dropper script that sets up environment and downloads PCPJack Python modules",{"type":37,"value":65,"context":66},"monitor.py (aka worm.py)","Main orchestrator script executing credential harvesting and lateral movement"]