A sophisticated new malware framework called PCPJack has been found actively targeting cloud environments across the internet, hunting for exposed services and stripping away credentials at scale.
The worm zeroes in on Docker, Kubernetes, Redis, and MongoDB deployments, turning misconfigured or vulnerable systems into footholds for credential theft and financial fraud. What sets it apart from most cloud-targeting malware is its unusual decision to skip cryptocurrency mining entirely, suggesting the operators are focused on a different kind of profit.
PCPJack starts its infection chain with a shell script called bootstrap.sh, which runs quietly on Linux-based cloud systems. That script prepares the environment, installs Python, downloads six specialized modules, sets up persistence, and launches the main orchestrator.
One of its first actions is to scan for and actively remove all traces of a rival threat group called TeamPCP, essentially taking over compromised machines that someone else had already infected, making it unusually competitive among cloud threat actors.
Researchers at SentinelOne identified PCPJack as a credential theft framework with worm-like spreading capabilities. According to SentinelOne security researcher Alex Delamotte, the toolset “harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.”
The research team believes the actor behind PCPJack may be a former TeamPCP member who left the group and started their own separate operation, given the technical overlap found between both campaigns.
The malware collects an unusually wide range of secrets, including SSH keys, Slack tokens, WordPress database credentials, OpenAI and Anthropic API keys, cloud provider tokens, and cryptocurrency wallet files.
It then encrypts all stolen data using X25519 ECDH and ChaCha20-Poly1305 before sending it to a Telegram channel, broken into small chunks to comply with message size limits. The attacker even tracks whether their cleanup of TeamPCP infections was successful, signaling deliberate and targeted competitive intent rather than opportunistic attack behavior.
PCPJack’s Worm-Like Propagation and CVE Exploitation
PCPJack spreads by actively scanning external cloud infrastructure for exposed services including Docker, Kubernetes, Redis, MongoDB, and RayML. The worm downloads hostname data from Common Crawl parquet files and uses them as scanning targets, letting it discover new victims without hardcoding any addresses directly into the code.
This design allows the attacker to cover up to 104 million potential entries during each cycle without requiring centralised coordination.
The worm exploits five publicly known vulnerabilities to break into new systems. These include CVE-2025-29927, an authentication bypass in Next.js middleware; CVE-2025-55182, a server-side deserialization flaw in React and Next.js known as “React2Shell”; CVE-2026-1357, an unauthenticated file upload vulnerability in WPVivid Backup; CVE-2025-9501, a PHP injection flaw in W3 Total Cache; and CVE-2025-48703, a shell injection issue in CentOS Web Panel.
Once inside, the worm harvests SSH keys and moves laterally by enumerating Kubernetes clusters and Docker daemons, then replicating itself to every reachable host.
Sliver Backdoor and Enterprise-Wide Credential Targeting
SentinelOne’s analysis also uncovered a Sliver-based backdoor on the attacker’s staging server, compiled in three variants to support x86_64, x86, and ARM system architectures. This backdoor grants the operator persistent remote access even after initial exploitation ends.
The binaries are saved locally as update.bin, update-386.bin, and update-arm.bin, designed to blend in with legitimate system maintenance file names to avoid immediately raising suspicion.
.webp)
Beyond cloud infrastructure, PCPJack also targets messaging platforms, financial services, and enterprise productivity tools. The malware scans for credentials tied to services like Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password, expanding potential damage far beyond a single environment. This wide reach points toward extortion, spam campaigns, and credential resale as the most likely endgame.
.webp)
To reduce exposure, security teams should enforce multi-factor authentication across all cloud accounts and services. Using IMDSv2 in AWS environments is recommended to prevent metadata theft, and proper authentication must be enforced for Docker and Kubernetes API endpoints.
Organisations should follow least-privilege principles, avoid storing secrets in plaintext, and regularly audit environment variables and configuration files for sensitive data.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | hxxps://spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com | Payload host (PAYLOAD_HOST) used by bootstrap.sh to download additional modules |
| URL | hxxps://cdn[.]cloudfront-js[.]com:8443/u | Credential exfiltration endpoint; typosquats CloudFront over ports 8443/7443 |
| File | bootstrap.sh | Initial dropper shell script; sets up working directory, installs Python, downloads payloads |
| File | monitor.py (worm.py) | Main orchestrator script; manages all modules, credential theft, propagation, and C2 via Telegram |
| File | utils.py (parser.py) | Credential extraction and categorisation module |
| File | _lat.py (lateral.py) | Lateral movement module; targets SSH, Kubernetes, Docker, Redis, RayML, and MongoDB |
| File | _cu.py (crypto_util.py) | Credential encryption module; uses X25519 ECDH and ChaCha20-Poly1305 |
| File | _cr.py (cloud_ranges.py) | Collects IP ranges for AWS, GCP, Azure, Cloudflare, Cloudfront, and Fastly; refreshes every 24 hours |
| File | _csc.py (cloud_scan.py) | External cloud port scanner; targets Docker, Kubernetes, MongoDB, RayML, and Redis |
| File | check.sh | Secondary shell script on attacker infrastructure; detects CPU architecture and fetches Sliver binary |
| File | extractor.py | Credential extraction script targeting environment variables from cloud services |
| File | run_script.py | Script downloaded and executed via Telegram RUN command from attacker C2 |
| File | update.bin | Sliver backdoor binary compiled for x86_64 (64-bit) systems |
| File | update-386.bin | Sliver backdoor binary compiled for x86 (32-bit) or 32-bit containers |
| File | update-arm.bin | Sliver backdoor binary compiled for ARM processor architectures |
| Directory | /var/lib/.spm/ | Hidden working directory created by bootstrap.sh on compromised systems |
| File | /var/tmp/apt-daily-upgrade | Local path where Sliver binary (update.bin) is saved to blend with system processes |
| CVE | CVE-2025-29927 | Authentication bypass in Next.js middleware via crafted header |
| CVE | CVE-2025-55182 | Server Actions deserialization flaw in React and Next.js (“React2Shell”) |
| CVE | CVE-2026-1357 | Unauthenticated file upload in WPVivid Backup plugin |
| CVE | CVE-2025-9501 | PHP injection in W3 Total Cache via cached mfunc comment |
| CVE | CVE-2025-48703 | Shell injection in CentOS Web Panel Filemanager changePerm functionality |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
