Cybersecurity researchers at SentinelOne have identified PCPJack, a sophisticated credential theft framework targeting cloud infrastructure that actively removes competing malware artifacts associated with the threat actor TeamPCP.

Key Points

• PCPJack targets cloud services including Docker, Kubernetes, Redis, MongoDB, and RayML to harvest credentials and exfiltrate data.
• The malware uses a modular Python-based framework to conduct lateral movement, reconnaissance, and automated port scanning.
• Attackers utilize Telegram for command-and-control communications and pull target IP ranges from public Common Crawl datasets.
• The framework specifically identifies and deletes TeamPCP-related processes, suggesting a potential conflict or transition between threat actors.
• Exploited vulnerabilities include CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703.
• Stolen data includes API keys and secrets for major platforms like OpenAI, Google, Anthropic, and HashiCorp Vault.

Why it Matters

This campaign highlights an evolving threat landscape where attackers prioritize the systematic displacement of rival malware to secure exclusive access to compromised cloud environments. By targeting high-value developer and financial service credentials, PCPJack poses a significant risk to organizations relying on cloud-native infrastructure and automated service integrations.