PCPJack: The New Credential Stealer Exploiting Multiple CVEs to Infiltrate Cloud Systems
Cybersecurity experts have recently uncovered a sophisticated credential theft framework named PCPJack, which specifically targets exposed cloud infrastructures. This malicious tool not only harvests sensitive credentials but also aggressively removes any traces associated with the notorious TeamPCP group from the compromised environments.
According to SentinelOne security researcher Alex Delamotte, PCPJack is engineered to infiltrate cloud services such as Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. Its design enables it to propagate in a worm-like manner, facilitating lateral movement within compromised networks. The primary objective of these attacks appears to be the illicit generation of revenue through credential theft, fraud, spam, extortion, or the resale of stolen access.
What sets PCPJack apart is its significant overlap with TeamPCP’s targeting strategies. TeamPCP gained prominence in late 2025 by exploiting known security vulnerabilities and misconfigurations in cloud services to build a vast network for data theft and other post-exploitation activities. However, unlike TeamPCP, PCPJack does not incorporate a cryptocurrency mining component. This absence suggests that PCPJack might be the work of a former TeamPCP member familiar with the group’s methodologies but pursuing different objectives.
Attack Methodology:
The attack initiates with a bootstrap shell script designed to prepare the environment by configuring the payload host and downloading subsequent tools. This script also infects its own infrastructure, terminates and removes processes linked to TeamPCP, installs Python, establishes persistence, downloads six Python scripts, launches the orchestration script, and then self-deletes.
The six Python payloads include:
1. worm.py (monitor.py): Acts as the main orchestrator, launching specific modules, conducting local credential theft, propagating the toolset to other hosts by exploiting known vulnerabilities, and using Telegram for command-and-control (C2) communications.
2. parser.py (utils.py): Handles credential extraction, categorizing stolen keys and secrets.
3. lateral.py (_lat.py): Facilitates reconnaissance, secret harvesting, and enables lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services.
4. crypto_util.py (_cu.py): Encrypts credentials before exfiltrating them to the attacker’s Telegram channel.
5. cloud_ranges.py (_cr.py): Collects IP address ranges assigned to major cloud service providers and refreshes the data every 24 hours.
6. cloud_scan.py (_csc.py): Conducts cloud port scanning for external propagation via Docker, Kubernetes, MongoDB, RayML, or Redis services.
The orchestrator script sources its propagation targets from parquet files obtained directly from Common Crawl, a non-profit organization that crawls the web and provides public access to its archives and datasets.
Exploited Vulnerabilities:
PCPJack exploits several known vulnerabilities to facilitate its spread and infiltration:
– CVE-2025-55182: A critical vulnerability allowing unauthorized access to cloud services.
– CVE-2025-29927: A flaw in Docker that permits remote code execution.
– CVE-2026-1357: A Kubernetes vulnerability enabling privilege escalation.
– CVE-2025-9501: A Redis misconfiguration leading to unauthorized data access.
– CVE-2025-48703: A MongoDB security issue allowing data exfiltration.
Implications and Recommendations:
The emergence of PCPJack underscores the evolving threats targeting cloud infrastructures. Organizations must adopt a proactive approach to cybersecurity by:
– Regularly Updating Systems: Ensure all software and systems are up-to-date with the latest security patches to mitigate known vulnerabilities.
– Implementing Strong Access Controls: Utilize multi-factor authentication and strict access controls to limit unauthorized access.
– Conducting Regular Security Audits: Perform periodic security assessments to identify and remediate potential vulnerabilities.
– Monitoring Network Activity: Employ continuous monitoring solutions to detect and respond to suspicious activities promptly.
– Educating Employees: Provide ongoing cybersecurity training to staff to recognize and avoid potential threats.
By implementing these measures, organizations can enhance their defenses against sophisticated threats like PCPJack and safeguard their cloud infrastructures from potential breaches.
