Ethical Hacking News
A new threat actor has emerged, targeting cloud services across multiple platforms with a modular framework of Python payloads and shell scripts. PCPJack's attacks expose vulnerabilities in cloud services and could potentially be used for illicit revenue through credential theft, fraud, spam, extortion, or resale of stolen access. Organizations are advised to take steps to protect themselves from these types of attacks.
PCPJack, a new threat actor, has emerged claiming to exploit vulnerabilities in cloud services across multiple platforms. The group uses a modular framework of Python payloads and shell scripts to spread its malware and exfiltrate credentials from various services. PCPJack targets cloud services like Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications for spreading in a worm-like fashion. The threat actor's end goal is to generate illicit revenue through credential theft, fraud, spam, extortion, or resale of stolen access. PCPJack lacks a cryptocurrency mining component, unlike TeamPCP, suggesting it could be the work of a former member familiar with their tradecraft. The attack involves downloading and installing Python scripts to conduct local credential theft, propagate the toolset, and use Telegram for command-and-control.
In recent weeks, a new threat actor has emerged, claiming to exploit vulnerabilities in cloud services across multiple platforms. The group, dubbed PCPJack, has been using a modular framework of Python payloads and shell scripts to spread its malware across cloud-based systems. According to SentinelOne security researcher Alex Delamotte, the toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.
PCPJack is specifically designed to target cloud services like Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, allowing the operators to spread in a worm-like fashion, as well as move laterally within the compromised networks. The threat actor's end goal appears to be generating illicit revenue for themselves through credential theft, fraud, spam, extortion, or resale of stolen access.
One notable aspect of PCPJack is its similarity with another threat actor known as TeamPCP. While both groups share targeting overlaps, PCPJack lacks a cryptocurrency mining component, unlike TeamPCP. This lack of a monetization strategy may be an indication that PCPJack could be the work of a former member of TeamPCP who is familiar with their tradecraft.
The attack begins with a bootstrap shell script used to prepare the environment and download next-stage tooling, while simultaneously taking steps to infect its own infrastructure, terminate and remove processes or artifacts associated with TeamPCP, install Python, establish persistence, download six Python scripts, launch an orchestration script, and remove itself. The six Python payloads are as follows:
- worm.py (written to disk as monitor.py), the main orchestrator that launches purpose-built modules, conducts local credential theft, propagates the toolset to other hosts by exploiting known flaws, and uses Telegram for command-and-control.
- parser.py (utils.py), to handle credential extraction to categorize stolen keys and secrets
- lateral.py (_lat.py), to facilitate reconnaissance, harvest secrets, and enable lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services
- crypto_util.py (_cu.py), to encrypt credentials before exfiltration to the attacker's Telegram channel
- cloud_ranges.py (_cr.py), to collect IP address ranges assigned to Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Cloudflare, Cloudfront, and Fastly, and refresh the data every 24 hours
- cloud_scan.py (_csc.py), to run cloud port scanning for external propagation via Docker, Kubernetes, MongoDB, RayML, or Redis services
Propagation targets for the orchestrator script come from parquet files that the worm pulls directly from Common Crawl, a non-profit that crawls the web and provides its archives and datasets to the public at no extra cost.
When exfiltrating system information and credentials, PCPJack collects success metrics on whether TeamPCP has been evicted from targeted environments in a 'PCP replaced' field sent to the C2. This "implies a direct focus on the threat actor's activities rather than pure cloud attack opportunism."
Further analysis of the threat actor's infrastructure uncovered another shell script ("check.sh") that detects the CPU architecture and fetches the appropriate Sliver binary. It also scans Instance Metadata Service (IMDS) endpoints, Kubernetes service accounts, and Docker instances for credentials associated with Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI, and transmits them to an external server.
The similarities between the two toolsets indicate that PCPJack could be the work of a former member of TeamPCP who is familiar with their tradecraft. The threat actor's focus on exfiltrating credentials suggests that they are looking for ways to monetize this stolen data. As such, it is imperative for organizations to take steps to protect themselves from these types of attacks.
The latest news and information from the cybersecurity world can be found by following us on social media platforms. Stay up-to-date with the latest threats and vulnerabilities that you need to know about.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Credential-Thief-Emerges-PCPJacks-Cloud-Spanning-Attacks-Expose-Vulnerabilities-in-Cloud-Services-ehn.shtml
https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html
https://malware.news/t/pcpjack-cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/106761
Published: Thu May 7 14:50:02 2026 by llama3.2 3B Q4_K_M
