PCPJack: A New Cloud Credential Theft Framework Evicts Competitors and Escalates Cloud Security Threats

Cybersecurity researchers have unveiled critical details concerning a sophisticated new credential theft framework, dubbed PCPJack, which specifically targets exposed cloud infrastructure, demonstrating a notable and aggressive tactic of actively ousting any competing malicious artifacts, particularly those linked to the prominent TeamPCP threat group, from compromised environments. This development, brought to light on May 7, 2026, by SentinelOne security researcher Alex Delamotte, signals an alarming evolution in cloud-native cyber warfare, where threat actors are not only exploiting vulnerabilities but also engaging in direct competition for control over compromised resources.

The Emergence of PCPJack: A New Contender in Cloud Exploitation

The discovery of PCPJack marks a significant moment in the ongoing battle for cloud security. Described as a comprehensive toolset, PCPJack is engineered to meticulously harvest credentials across a broad spectrum of services, including cloud platforms, containerization technologies, developer tools, productivity suites, and financial services. Once acquired, this sensitive data is systematically exfiltrated to attacker-controlled infrastructure. A distinguishing feature of PCPJack is its inherent capability for self-propagation, designed to spread rapidly in a worm-like fashion and facilitate lateral movement within compromised networks, amplifying its reach and potential for damage.

SentinelOne’s detailed report highlights the framework’s specific targeting of critical cloud services such as Docker, Kubernetes, Redis, MongoDB, and RayML, alongside vulnerable web applications. These services are often cornerstones of modern enterprise infrastructure, making them high-value targets for threat actors seeking extensive access and control. The ultimate objective behind this expansive cloud attack campaign is believed to be the generation of illicit revenue for the operators. This monetization strategy can manifest in various forms, including direct credential theft leading to account takeovers, financial fraud, the deployment of spam operations, extortion, or the lucrative resale of stolen access credentials on dark web marketplaces. The modular and multi-faceted nature of PCPJack suggests a well-resourced and strategic threat actor behind its deployment.

Echoes of a Predecessor: PCPJack’s Overlap with TeamPCP

What makes PCPJack particularly intriguing to cybersecurity experts is its substantial overlap in targeting and methodology with TeamPCP, a notorious threat actor that gained significant attention in late 2025. TeamPCP became infamous for its aggressive exploitation of known security vulnerabilities and misconfigurations in cloud services. Their tactics included leveraging flaws like "React2Shell" and other weaknesses to enlist compromised endpoints into an ever-expanding botnet, primarily for data theft and a variety of post-exploitation activities, notably cryptocurrency mining. The similarities between PCPJack and TeamPCP have led researchers to speculate on a possible connection, with some suggesting that PCPJack could be the work of a former member of TeamPCP or a splinter group intimately familiar with the original group’s tradecraft and operational procedures.

Despite the striking similarities, a key divergence between the two frameworks lies in their monetization strategies. Unlike TeamPCP, which heavily relied on integrating cryptocurrency mining components into its operations, PCPJack notably lacks this feature. While the precise reasons for this omission remain unclear, especially given the proven profitability of cryptojacking, its absence underscores a deliberate shift in focus towards credential theft and data exfiltration as primary revenue streams. This strategic choice, coupled with PCPJack’s explicit function to terminate and remove TeamPCP artifacts, strongly implies a direct competitive dynamic or even a hostile takeover attempt within the underground cybercrime ecosystem, rather than mere opportunistic exploitation. As Delamotte notes, the collection of "PCP replaced" success metrics by the PCPJack operators, sent back to their command-and-control (C2) servers, underscores a focused intent on displacing the rival group.

The Anatomy of an Attack: From Bootstrap to Exfiltration

The attack chain initiated by PCPJack is meticulously designed and highly automated, beginning with a bootstrap shell script. This script serves as the initial foothold, responsible for preparing the compromised environment for subsequent stages of the attack. Its functions include configuring the payload host, downloading next-stage tooling, and crucially, taking immediate steps to infect its own infrastructure. A critical component of this initial phase is the aggressive termination and removal of any processes or artifacts identified as belonging to TeamPCP, effectively clearing the field for PCPJack’s operations.

Following this environmental preparation and rival eviction, the bootstrap script proceeds to install Python, a prerequisite for the framework’s numerous Python-based payloads. Persistence mechanisms are then established to ensure that PCPJack maintains its presence on the compromised system even after reboots or system resets. The script then downloads a set of six distinct Python scripts, which collectively form the core operational components of the framework. Once these scripts are in place, an orchestration script is launched to coordinate their activities, and the bootstrap script diligently removes itself, leaving minimal traces of the initial intrusion.

While the specific functions of all six Python payloads were not fully detailed in the public disclosure, their modular design suggests a comprehensive suite of capabilities vital for a multi-stage attack:

1. Reconnaissance and Scanning Script: Likely responsible for identifying vulnerable services, misconfigurations, and potential lateral movement paths within the compromised network. This could involve scanning for open ports, identifying cloud service metadata, and enumerating user accounts.
2. Credential Harvester Script: Dedicated to extracting sensitive credentials from various sources. This would include accessing configuration files, environment variables, browser data, and developer tools where credentials might be stored.
3. Data Exfiltration Script: Manages the secure and covert transfer of stolen data from the compromised host to the attacker’s command-and-control infrastructure. This often involves encrypted channels and obfuscation techniques to avoid detection.
4. Lateral Movement Script: Utilizes harvested credentials and identified vulnerabilities to spread PCPJack to additional hosts within the network, expanding the scope of the compromise.
5. Persistence Script: Reinforces the initial persistence mechanisms or establishes new ones, ensuring long-term access for the threat actors. This could involve modifying system startup scripts, creating scheduled tasks, or leveraging legitimate software features.
6. Cleanup/Anti-Forensics Script: Designed to remove traces of PCPJack’s presence, delete logs, and generally obscure the attacker’s activities to hinder incident response and forensic analysis. This script might also be responsible for the explicit removal of TeamPCP artifacts.

Propagation and Advanced Reconnaissance

A particularly innovative aspect of PCPJack’s propagation strategy involves leveraging publicly available datasets for target identification. The orchestrator script pulls propagation targets directly from parquet files provided by Common Crawl. Common Crawl is a non-profit organization that regularly crawls the web and offers its vast archives and datasets to the public free of charge. By utilizing this resource, PCPJack operators can efficiently identify a wide array of potential targets, including exposed services and misconfigured cloud assets, on a massive scale, significantly enhancing its worm-like spread capabilities. This method allows the threat actors to identify new targets without expending resources on active scanning, making their operations more efficient and stealthy.

Further analysis of the threat actor’s infrastructure revealed an additional shell script, "check.sh," which performs sophisticated reconnaissance. This script first detects the CPU architecture of the compromised system to fetch the appropriate binary for Sliver, an open-source command-and-control (C2) framework increasingly favored by threat actors as an alternative to commercial tools like Cobalt Strike. Sliver provides extensive post-exploitation capabilities, including remote code execution, keylogging, and further data exfiltration, making it a powerful asset for persistent access.

Beyond fetching Sliver, "check.sh" also actively scans critical cloud service endpoints for credentials. Its targets include Instance Metadata Service (IMDS) endpoints, Kubernetes service accounts, and Docker instances. These are prime locations for storing credentials associated with a multitude of cloud-based services and applications. The script specifically looks for credentials related to high-value platforms such as Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI. The harvested credentials are then transmitted to an external server controlled by the threat actors, completing the data theft cycle.

The Broader Cloud Threat Landscape and Implications

The emergence of PCPJack underscores the escalating sophistication and competitive nature of threats targeting cloud infrastructure. Organizations are increasingly migrating their operations to the cloud, leading to a proliferation of cloud-native applications, containers, and microservices. While offering unparalleled flexibility and scalability, this shift also introduces new attack surfaces and complex security challenges. Misconfigurations, unpatched vulnerabilities, and inadequate access controls remain prevalent issues, providing fertile ground for threat actors like those behind PCPJack and TeamPCP.

Credential theft, in particular, poses a profound risk. Stolen credentials can grant attackers deep access to sensitive data, intellectual property, financial systems, and even control over critical infrastructure. The potential implications range from massive data breaches and regulatory fines to operational disruption, reputational damage, and significant financial losses. The illicit revenue generated from such activities fuels a sophisticated cybercrime economy, making these attacks highly attractive to organized groups.

The modular design of PCPJack, which SentinelOne describes as "well developed" and indicative of an owner who "values making code as a modular framework," highlights a growing trend among advanced threat actors. By breaking down complex attack capabilities into interchangeable modules, they can adapt quickly to new defenses, scale their operations, and maintain persistence across diverse environments. This adaptability makes detection and mitigation significantly more challenging for defenders.

Bolstering Cloud Defenses: Strategies for Resilience

In light of threats like PCPJack, organizations must adopt a proactive and multi-layered approach to cloud security. Key strategies include:

1. Strong Identity and Access Management (IAM): Implementing robust IAM policies, including multi-factor authentication (MFA) for all cloud services and privileged access, is paramount. Least privilege principles should be strictly enforced, ensuring users and services only have the minimum necessary permissions.
2. Continuous Vulnerability Management: Regularly scanning for and patching known vulnerabilities in cloud services, applications, and container images is crucial. This includes third-party components and open-source libraries.
3. Configuration Management and Auditing: Automating configuration checks and regularly auditing cloud environments for misconfigurations can prevent many common attack vectors. Tools for Cloud Security Posture Management (CSPM) are essential here.
4. Network Segmentation: Implementing strict network segmentation within cloud environments can limit lateral movement in the event of a breach, confining attackers to a smaller portion of the infrastructure.
5. Endpoint Detection and Response (EDR) and Cloud Workload Protection Platforms (CWPP): Deploying advanced security solutions that provide visibility into cloud workloads, containers, and serverless functions can help detect and respond to malicious activity in real-time.
6. Threat Intelligence Integration: Staying informed about the latest threat intelligence, particularly regarding emerging cloud-native threats like PCPJack and the tactics of groups like TeamPCP, is vital for anticipating and defending against attacks.
7. Incident Response Planning: Developing and regularly testing a comprehensive incident response plan specifically tailored for cloud environments ensures a swift and effective reaction to security incidents, minimizing damage and recovery time.
8. Security Awareness Training: Educating employees and developers about common phishing tactics, secure coding practices, and the importance of strong security hygiene can significantly reduce the risk of initial compromise.

Cybersecurity experts universally underscore the critical importance of a holistic approach to cloud security. As threat actors continue to innovate and compete for control over digital assets, organizations must remain vigilant, continuously adapting their defenses to counter evolving threats. The saga of PCPJack and its aggressive eviction of TeamPCP serves as a stark reminder that the cloud landscape is a dynamic and increasingly contested battleground, demanding constant attention and investment in robust security measures. The shift from opportunistic exploitation to competitive eradication highlights a new level of sophistication and strategic thinking within the cybercriminal underworld, necessitating an equally sophisticated and strategic response from the defenders.