PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
SentinelLABS discovered PCPJack, a cloud-focused worm designed to harvest credentials at scale while actively evicting artifacts of a rival threat actor, TeamPCP. The framework targets exposed cloud services like Docker, Kubernetes, and Redis for propagation and lateral movement, notably omitting cryptomining payloads in favor of credential theft and Sliver C2 deployment.
Authors: SentinelLABS
Source:
SentinelOne
- domaincdn[.]cloudfront-js[.]comTyposquatted domain used for data exfiltration.
- domainlastpass-login-help[.]comPhishing domain hosted on attacker infrastructure, likely used for credential harvesting.
- filename/var/lib/.spm/monitor.pyPrimary orchestrator script for PCPJack, established for persistence.
- filename/var/tmp/apt-daily-upgradeSliver C2 beacon binary dropped on disk, disguised as a system upgrade process.
- ip161[.]97[.]129[.]25Hardcoded attacker infrastructure IP excluded from targeting.
- ip161[.]97[.]135[.]154Hardcoded attacker infrastructure IP excluded from targeting.
- ip161[.]97[.]163[.]87Hardcoded attacker infrastructure IP excluded from targeting.
- ip161[.]97[.]186[.]175Hardcoded attacker infrastructure IP excluded from targeting.
- ip161[.]97[.]187[.]42Hardcoded attacker infrastructure IP excluded from targeting.
- ip193[.]187[.]129[.]143Hardcoded attacker infrastructure IP excluded from targeting.
- ip213[.]136[.]80[.]73Hardcoded attacker infrastructure IP excluded from targeting.
- ip38[.]242[.]204[.]245Hardcoded attacker infrastructure IP excluded from targeting.
- ip38[.]242[.]237[.]196Hardcoded attacker infrastructure IP excluded from targeting.
- ip38[.]242[.]245[.]147Attacker infrastructure IP hosting the LastPass phishing domain.
- ip83[.]171[.]249[.]231Hardcoded attacker infrastructure IP excluded from targeting.
- urlhxxps://cdn[.]cloudfront-js[.]com:8443/uTyposquatted CloudFront domain used for exfiltration by the Sliver C2 toolset.
- urlhxxps://spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]comAttacker-controlled S3 bucket used to host PCPJack Python payloads.
Detection / HunterGoogle
What Happened
Security researchers have found a new malicious program called PCPJack that infects cloud computer systems. It is designed to steal passwords and access keys for various online services, while also kicking out a rival hacker group called TeamPCP from the infected machines. This is important because the stolen information can be used for financial fraud, spam, or sold to other criminals. Organizations should protect their cloud environments by using strong password management, requiring multi-factor authentication, and securing exposed services like Docker and Kubernetes.
Key Takeaways
- PCPJack is a cloud worm framework focused on credential theft and actively evicting artifacts of a rival threat actor, TeamPCP.
- Unlike typical cloud malware, PCPJack does not deploy cryptominers, focusing instead on monetizing stolen credentials for fraud, spam, or resale.
- The malware propagates laterally and externally by exploiting exposed Docker, Kubernetes, Redis, MongoDB, and RayML services.
- A secondary toolset deployed by the attacker drops Sliver C2 beacons and an extensive credential harvester script.
- Command and Control (C2) communication is handled via Telegram, with payloads encrypted using ChaCha20-Poly1305.
Affected Systems
- Linux systems
- Cloud Infrastructure (AWS, Azure, GCP)
- Docker
- Kubernetes
- Redis
- MongoDB
- RayML
Vulnerabilities (CVEs)
- React2Shell
Attack Chain
The attack begins with the execution of a bootstrap shell script, which prepares the environment, removes rival TeamPCP malware, and downloads Python payloads from an attacker-controlled S3 bucket. The orchestrator script then executes, harvesting credentials from local files, cloud metadata services, and container secrets. The worm propagates laterally and externally by scanning for and exploiting exposed Docker, Kubernetes, Redis, MongoDB, and RayML services. Stolen data is encrypted and exfiltrated via Telegram, while a secondary toolset may deploy Sliver C2 beacons for persistent remote access.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules (YARA, Sigma, etc.) but outlines behavioral indicators, file paths, and network ports for hunting.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can detect the creation of unusual systemd services, cron jobs, and suspicious Python/Bash executions, but containerized environments might have limited EDR coverage. Network Visibility: Medium — Network monitoring can catch outbound connections to Telegram API, unusual ports being scanned internally, and connections to the known malicious S3 bucket. Detection Difficulty: Moderate — The malware uses legitimate tools (Python, Bash) and services (Telegram, S3) which blend in with normal traffic, but its aggressive scanning and credential harvesting behavior creates detectable noise.
Required Log Sources
- Process Creation Logs
- File Creation Logs
- Network Connection Logs
- Container/Kubernetes Audit Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for Python processes executing from unusual hidden directories like /var/lib/.spm/. | Process Creation Logs, File Creation Logs | Execution/Persistence | Low |
| Look for unexpected modifications to crontabs or the creation of systemd services named sys-monitor.service running Python scripts. | Process Creation Logs, System Logs | Persistence | Medium |
| Monitor for internal network scanning targeting ports 2375 (Docker), 2376 (Docker), 8265 (RayML), and 27017 (MongoDB) originating from containerized workloads. | Network Connection Logs | Lateral Movement | Medium |
| Investigate unusual access to the AWS Instance Metadata Service (IMDS) from containers or instances that do not typically require it. | Network Connection Logs, Cloud Audit Logs | Credential Access | Medium |
| Hunt for the creation of files named lateral_done or harvest.jsonl in temporary or working directories. | File Creation Logs | Collection/Lateral Movement | Low |
Control Gaps
- Lack of IMDSv2 enforcement
- Unauthenticated access to internal Docker/Kubernetes APIs
- Missing egress filtering for container environments
Key Behavioral Indicators
- Python scripts decrypting strings using XOR and MD5 hashes
- Bash scripts executing pkill against known threat actor process names
- Sliver C2 binaries dropped as apt-daily-upgrade
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider searching for and isolating hosts communicating with the identified S3 bucket or CloudFront typosquat domain.
- Evaluate whether to rotate credentials for any services exposed on compromised hosts, especially cloud provider keys, database passwords, and SSH keys.
Infrastructure Hardening
- If applicable, enforce IMDSv2 across all AWS environments to prevent unauthorized metadata access.
- Consider restricting access to Docker sockets and Kubernetes management APIs, ensuring authentication is required even on internal networks.
- Evaluate implementing network segmentation to prevent lateral movement between containerized workloads and internal databases.
User Protection
- Consider utilizing enterprise secret management vaults instead of storing credentials in plaintext .env files or shell histories.
- Where supported by your tooling, enforce Multi-Factor Authentication (MFA) for all service accounts and API access.
Security Awareness
- Consider training developers on the risks of hardcoding secrets in source code or configuration files.
MITRE ATT&CK Mapping
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.006 - Command and Scripting Interpreter: Python
- T1105 - Ingress Tool Transfer
- T1053.003 - Scheduled Task/Job: Cron
- T1543.002 - Create or Modify System Process: Systemd Service
- T1552.001 - Credentials In Files
- T1552.005 - Cloud Instance Metadata API
- T1552.007 - Container API
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1071.001 - Application Layer Protocol: Web Protocols
- T1610 - Deploy Container
- T1021.004 - Remote Services: SSH
Additional IOCs
- Ips:
38[.]242[.]204[.]245- Hardcoded attacker infrastructure IP excluded from targeting.38[.]242[.]237[.]196- Hardcoded attacker infrastructure IP excluded from targeting.83[.]171[.]249[.]231- Hardcoded attacker infrastructure IP excluded from targeting.161[.]97[.]129[.]25- Hardcoded attacker infrastructure IP excluded from targeting.161[.]97[.]135[.]154- Hardcoded attacker infrastructure IP excluded from targeting.161[.]97[.]163[.]87- Hardcoded attacker infrastructure IP excluded from targeting.161[.]97[.]186[.]175- Hardcoded attacker infrastructure IP excluded from targeting.161[.]97[.]187[.]42- Hardcoded attacker infrastructure IP excluded from targeting.193[.]187[.]129[.]143- Hardcoded attacker infrastructure IP excluded from targeting.213[.]136[.]80[.]73- Hardcoded attacker infrastructure IP excluded from targeting.
- Domains:
cdn[.]cloudfront-js[.]com- Typosquatted domain used for data exfiltration.
- File Paths:
/var/lib/.spm/- Working directory created by the PCPJack bootstrap script./var/lib/.spm/_cr/ranges.json- File storing downloaded cloud service provider IP ranges./tmp/.cache_v2- Temporary directory created by the Sliver post-implant harvester script.
- Command Lines:
- Purpose: Self-deletion of the initial bootstrap script after execution. | Tools:
rm| Stage: Execution/Defense Evasion |rm -f "$0" - Purpose: Eviction of rival threat actor (TeamPCP) processes. | Tools:
pkill| Stage: Defense Evasion/Impact |pkill -9 -f - Purpose: Stopping services associated with rival threat actor TeamPCP. | Tools:
systemctl| Stage: Defense Evasion/Impact |systemctl stop
- Purpose: Self-deletion of the initial bootstrap script after execution. | Tools: