PCPJack Worm Kicks Out Rivals, Steals Cloud Credentials at Scale

A new credential-stealing worm called PCPJack is spreading across cloud infrastructure with an unusual twist: it systematically removes infections from the competing TeamPCP group before taking over compromised systems. SentinelLABS researchers discovered the framework in late April while hunting for Kubernetes-focused threats on VirusTotal.

Unlike the cryptomining-focused TeamPCP worm that compromised 60,000+ servers earlier this year, PCPJack skips mining entirely. The operators appear focused on harvesting credentials from cloud providers, financial services, and messaging platforms—suggesting monetization through fraud, spam campaigns, or resale of stolen access.

How PCPJack Spreads

The worm exploits five vulnerabilities to propagate across exposed cloud services:

1. CVE-2025-29927 (CVSS 8.8) - Next.js middleware authentication bypass
2. CVE-2025-55182 (CVSS 9.0) - Server Actions deserialization flaw in React/Next.js
3. CVE-2026-1357 (CVSS 9.8) - WPVivid Backup unauthenticated file upload
4. CVE-2025-9501 (CVSS 9.0) - W3 Total Cache PHP injection
5. CVE-2025-48703 (CVSS 9.x) - CentOS Web Panel shell injection

The spreading module specifically targets exposed Docker APIs (ports 2375/2376), Kubernetes clusters, Redis instances, MongoDB databases, and RayML machine learning infrastructure. SentinelLABS noted that PCPJack parses Common Crawl parquet files to discover targets—a distributed approach that eliminates the need for central coordination.

Credential Harvesting at Industrial Scale

Once PCPJack establishes a foothold, it sweeps the system for credentials across multiple categories:

• Cloud services: AWS credentials from IMDS, Kubernetes service accounts, Docker secrets
• Financial platforms: Binance, Coinbase, Stripe, Kraken API keys
• Messaging services: Twilio, Mailgun, SendGrid tokens
• Enterprise tools: Slack, Office 365 credentials
• Developer infrastructure: GitHub tokens, SSH keys, Git repository access

Researchers found references to "FTX" in the credential parsing code—likely adapted from legacy tooling written before the exchange collapsed. The collected credentials are encrypted with an X25519 public key and exfiltrated to attacker infrastructure.

Telegram-Based Command and Control

PCPJack uses Telegram for C2 communications. Commands arrive via pinned messages in attacker-controlled channels:

• RUN - Execute specific modules
• PARQUET - Override target IP ranges
• STOP - Halt operations

Data exfiltration also flows through Telegram, making traffic harder to distinguish from legitimate messaging. The infrastructure includes 11 VPS servers geolocated to Germany across multiple IP ranges.

Connection to TeamPCP

The similarities between PCPJack and early TeamPCP campaigns are striking. Both target the same services, use comparable spreading techniques, and emerged from the same threat ecosystem. SentinelLABS assesses that PCPJack may represent a former TeamPCP operator who split from the group after high-profile coverage brought law enforcement attention in early 2026.

The decision to remove TeamPCP artifacts suggests either competitive displacement or an attempt to avoid association with the more visible campaign. Either way, the result is the same: compromised servers now serve PCPJack instead.

Why This Matters

Cloud infrastructure attacks have shifted from opportunistic cryptomining to targeted credential theft. The credentials PCPJack harvests—cloud provider keys, payment processor tokens, enterprise SSO access—enable far more damaging downstream attacks than CPU cycles ever could.

Organizations running exposed Docker, Kubernetes, or Redis instances should audit access controls immediately. The vulnerabilities PCPJack exploits have patches available, but the worm's continued spread indicates many systems remain unpatched. For teams dealing with cloud security incidents, our malware defense guide covers detection fundamentals.

Indicators of Compromise

Working directory: /var/lib/.spm/

C2 domains:

• cdn.cloudfront-js.com
• spm-cdn-assets-dist-2026.s3.us-east-2.amazonaws.com

Attacker public key: 6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo=

Security teams should hunt for connections to these indicators and audit credential usage from any potentially compromised cloud workloads.