PCPJack

PCPJack is a cloud-focused threat actor/framework documented by SentinelOne/SentinelLABS in 2026. The content describes PCPJack as a cloud worm and credential-theft framework that scans for exposed Docker, Kubernetes, Redis, MongoDB, and RayML services, exploits five vulnerabilities for initial access, and then harvests npm, GitHub, and cloud credentials. SentinelLABS also reported that PCPJack terminates TeamPCP processes and removes TeamPCP artifacts from compromised environments before spreading laterally. SentinelLABS assessed with moderate confidence that PCPJack may be operated by a former TeamPCP affiliate based on overlap with the December 2025 PCPCat phase. Separate reporting attributed to PCPJack an active Linux post-compromise operation that hijacked cloud servers associated with AWS, Google Cloud, and Microsoft Azure and converted compromised business servers in the U.S., Europe, and Asia into a covert SMTP relay network. The recovered toolkit used Sliver implants and Chisel tunneling to deploy SMTP-capable proxies across Linux AMD64, ARM64, and x86 systems. Victim-side binaries were dropped as hidden files and persisted at /var/tmp/.xs, with persistence established either as a systemd service named xsync or via a five-minute cron watchdog. Deployer scripts loaded Sliver client configuration, filtered recently active Linux beacons, assigned deterministic SOCKS5 ports in the 10000-14999 range from beacon UUIDs, and in earlier versions tested outbound access to smtp.gmail.com:587 before deployment. A verifier daemon continuously enumerated active tunnel ports, tested SMTP capability via EHLO and STARTTLS, enriched working proxies with exit IP, country, and ASN data, and synchronized verified proxy lists to downstream infrastructure. State artifacts showed at least one completed deployment wave affecting 230 Linux beacons in March 2026. Known alias in the provided content: pcpjack.