PCPJack Worm Targets Cloud Platforms for Credential Theft

May 8, 2026 Faeem BLOGS 0

Overview Researchers at SentinelOne have discovered a new malware framework called PCPJack, actively targeting cloud environments. Unlike typical cloud malware that focuses on cryptocurrency mining, PCPJack is designed for credential theft and financial fraud, spreading aggressively across exposed services like Docker, Kubernetes, Redis, MongoDB, and RayML.

Infection Chain

  • Initial Dropper: bootstrap.sh shell script installs Python, downloads six modules, sets persistence, and launches orchestrator.
  • Competitive Behavior: Actively removes traces of rival group TeamPCP, signaling targeted intent.
  • Modules: Credential extraction, lateral movement, encryption, cloud scanning, and propagation.
  • Exfiltration: Stolen data encrypted with X25519 ECDH + ChaCha20‑Poly1305, sent in chunks to attacker‑controlled Telegram channels.

Capabilities

  • Credential Theft: SSH keys, Slack tokens, WordPress DB credentials, OpenAI/Anthropic API keys, cloud provider tokens, crypto wallet files.
  • Propagation: Scans external infrastructure using Common Crawl datasets (up to 104M entries per cycle).
  • Exploitation: Leverages five CVEs, including:
    • CVE‑2025‑29927 (Next.js auth bypass).
    • CVE‑2025‑55182 (React2Shell deserialization flaw).
    • CVE‑2026‑1357 (WPVivid Backup unauthenticated upload).
    • CVE‑2025‑9501 (W3 Total Cache PHP injection).
    • CVE‑2025‑48703 (CentOS Web Panel shell injection).
  • Lateral Movement: Enumerates Kubernetes clusters and Docker daemons, replicating across reachable hosts.
  • Persistence: Deploys Sliver backdoor variants (update.bin, update-386.bin, update-arm.bin) disguised as system update files.

Target Scope

  • Cloud Services: AWS, GCP, Azure, Cloudflare, Cloudfront, Fastly.
  • Enterprise Tools: Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, 1Password.
  • Endgame: Likely extortion, spam campaigns, and credential resale.

Defensive Guidance

  • Authentication Hardening: Enforce MFA across all cloud accounts.
  • AWS Security: Use IMDSv2 to prevent metadata theft.
  • Container Security: Require authentication for Docker/Kubernetes APIs.
  • Least Privilege: Avoid plaintext secrets; audit environment variables regularly.
  • Network Controls: Block IoCs (payload URLs, Telegram exfil endpoints, malicious domains).

Final Thought

PCPJack represents the next generation of cloud worms, prioritizing credential theft over mining and spreading through both misconfigurations and CVE exploitation. Its ability to hijack cloud, container, and enterprise credentials makes it a multi‑vector threat with implications far beyond infrastructure compromise. For defenders, the lesson is clear: credential hygiene and strict API security are now frontline defenses against cloud‑native malware.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.