PCPJack
PCPJack is a Linux-focused credential-theft malware framework and worm targeting exposed cloud and container infrastructure. SentinelOne/SentinelLABS reported it in April-May 2026 as a modular toolset that propagates across internet-exposed environments, removes TeamPCP/PCPCat artifacts from compromised systems, and then harvests credentials and secrets at scale. Researchers assessed that PCPJack overlaps heavily with TeamPCP targeting and tradecraft and may be operated by a former TeamPCP affiliate or someone highly familiar with that ecosystem, but there is no conclusive evidence that TeamPCP itself operates PCPJack.
The infection chain begins with a bootstrap shell script that creates a hidden working directory, installs Python 3.6+ and dependencies, downloads additional modules from spm-cdn-assets-dist-2026[.]s3[.]us-east-2[.]amazonaws[.]com, establishes persistence via systemd when run as root or cron when unprivileged, launches the main orchestrator, and self-deletes. PCPJack explicitly searches for and kills TeamPCP processes and removes TeamPCP-related files, containers, services, and persistence artifacts. The framework stores some strings as hex-encoded blobs decrypted with an XOR routine keyed from the MD5 hash of the string urllib3.poolmanager; SentinelLABS also noted operational security mistakes including an exposed Telegram bot token and a hardcoded credential-encryption key.
PCPJack’s modules support credential harvesting, lateral movement, encrypted exfiltration, and external scanning. It steals .env files, configuration files, environment variables containing secrets, SSH keys, AWS IMDS credentials, Kubernetes service account tokens, Docker secrets, cryptocurrency wallets, and secrets found in git history. Reported targeted services include AWS, GitHub, Slack, WordPress, Stripe, Twilio, SendGrid, Mailgun, Office 365, Binance, Coinbase, Kraken, Solana, Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, 1Password, OpenAI, and Anthropic. Exfiltration is performed via Telegram, with stolen data chunked to fit message limits; one reported encryption routine used X25519 ECDH and ChaCha20-Poly1305 with attacker public key 6d4imqQ/s/GfQCVcybdcjfTe/PMYHtZN8ZGHnEXSbRo=, but could fall back to plaintext if the cryptography library was unavailable.
For propagation, PCPJack scans for exposed Docker, Kubernetes, Redis, MongoDB, and RayML services and also targets vulnerable web applications. Reported exploited vulnerabilities include CVE-2025-29927 (Next.js), CVE-2025-55182 (React/Next.js), CVE-2026-1357 (WPVivid Backup), CVE-2025-9501 (W3 Total Cache), and CVE-2025-48703 (CentOS Web Panel). It also uses Kubernetes tokens to enumerate namespaces, pods, Secrets, and ConfigMaps and attempt host escape; abuses Docker APIs to enumerate containers, harvest credentials, and mount host filesystems; abuses Redis for secret collection and persistence; and targets SSH, MongoDB, and RayML for further spread. Researchers reported that PCPJack downloads Common Crawl parquet files and iterates hostname data to generate large-scale propagation targets.
SentinelLABS also identified related tooling on infrastructure tied to PCPJack. A second toolset included check.sh, which harvested credentials, deployed Sliver beacons named update.bin, update-386.bin, and update-arm.bin, and exfiltrated data to cdn[.]cloudfront-js[.]com:8443/u. Separate exposed directories on 213.136.80[.]73, an IP previously linked by SentinelOne to PCPJack C2, revealed a Sliver- and Chisel-based Linux post-compromise pipeline. Recovered artifacts showed stock Chisel binaries for amd64, arm64, and 386 dropped to /var/tmp/.xs, persistence as an xsync systemd service or cron watchdog, reverse SOCKS5 tunnels to 213.136.80[.]73:9000, and continuous verification of which compromised hosts could relay SMTP traffic to smtp.gmail.com:587. State files indicated at least one deployment wave affecting 230 Linux beacons in March 2026. Additional related infrastructure included 45.225.135[.]54, 95.216.111[.]46, 38.242.204[.]245, and 38.242.245[.]147, though researchers noted the strongest linkage rests on shared infrastructure rather than definitive common-operator proof.
PCPJack appears financially motivated and notably does not deploy cryptominers. Reported likely monetization paths include credential theft, fraud, spam enablement, extortion, and resale of stolen access.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
This module spreads the toolset to targets by exploiting several vulnerabilities in web technologies, including the ubiquitous React2Shell flaw: CVE-2025-55182 | React / Next.js | React < 19.0.1; Next.js multiple lines | Server Actions deserialization | 9 | SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP... Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025.
SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP... Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025. | CVE-2026-1357 | WPVivid Backup (WordPress) | <= 0.9.123 | Unauthenticated null-key file upload | 9.8
CVE-2025-48703 | CentOS Web Panel (CWP) | < 0.9.8.1205 | Filemanager changePerm shell injection | 9.x | SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP... Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025.
SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP... Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025. | This module spreads the toolset to targets by exploiting several vulnerabilities in web technologies... CVE-2025-29927 | Next.js | < 12.3.5, 13.5.9, 14.2.25, 15.2.3 | Middleware auth bypass via header | 8.8
CVE-2025-9501 | W3 Total Cache (WordPress) | < 2.8.13 | PHP injection via cached mfunc comment | 9 | SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP... Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SentinelOne documented PCPJack in April 2026, covering how the campaign gains initial access and harvests credentials from compromised Linux servers.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThis module spreads the toolset to targets by exploiting several vulnerabilities in web technologies, including the ubiquitous React2Shell flaw: CVE-2025-29927 Next.js ... CVE-2025-55182 React / Next.js ... CVE-2026-1357 WPVivid Backup ... CVE-2025-9501 W3 Total Cache ... CVE-2025-48703 CentOS Web Panel.
Execution
3 techniquesIf not root, create two crontabs ... For persistence, _rwc performs a Redis cron rewrite, resulting in a cron job that fires bootstrap.sh every 5 minutes as root.
The infection begins with bootstrap.sh, a shell script designed for Linux systems. This script serves only to set up the environment and download additional payloads.
Download six Python modules from the attacker’s S3 URL in the following order: worm.py, parser.py, lateral.py, crypto_util.py, cloud_ranges.py, cloud_scan.py.
Persistence
4 techniquesIf not root, create two crontabs ... For persistence, _rwc performs a Redis cron rewrite, resulting in a cron job that fires bootstrap.sh every 5 minutes as root.
The malware collects an unusually wide range of secrets, including SSH keys... Once inside, the worm harvests SSH keys and moves laterally...
A sophisticated new malware framework called PCPJack has been found actively targeting cloud environments across the internet... The worm zeroes in on Docker, Kubernetes, Redis, and MongoDB deployments, turning misconfigured or vulnerable systems into footholds...
Privilege Escalation
5 techniquesIf not root, create two crontabs ... For persistence, _rwc performs a Redis cron rewrite, resulting in a cron job that fires bootstrap.sh every 5 minutes as root.
Docker is targeted through a privileged container with host escape, Redis through cron injection, and RayML through a weaponized job submission.
The malware collects an unusually wide range of secrets, including SSH keys... Once inside, the worm harvests SSH keys and moves laterally...
Establish persistence: If run as root: create sys-monitor.service, which runs monitor.py, aka worm.py, an orchestrator script.
Lastly, it attempts a container escape by mounting the host filesystem to a new container ... If connected to a remote host, the spreader will bind-mount the root filesystem of the machine running the Docker management service to the remote instance’s /host path, which creates a container escape.
Stealth
3 techniquesSensitive strings are stored in the source code as a hex-encoded blob instead of clear text ... decrypts it by XORing each byte against the MD5 hash of the string urllib3.poolmanager ... The update binaries are Sliver C2 beacons compiled with the garble obfuscation tool.
The monitor.py script ... starts with logic designed to make the script appear like a benign system monitoring utility ... The binary is saved locally as /var/tmp/apt-daily-upgrade to blend in with system processes.
Find and remove processes or artifacts that match naming conventions referencing TeamPCP or PCPcat process list, services, paths, or containers ... the PCPJack operator even collects success metrics on whether TeamPCP has been evicted from targeted environments in a “PCP replaced” field sent to the C2.
Credential Access
5 techniquesLocal Credential Theft On each compromised host, monitor.py executes a shell pipeline that steals: .env files and config files; Environment variables filtered for secrets, API keys, DB & SMTP creds; SSH private keys and targets from known_hosts, ~/.ssh/config, and bash history; AWS IMDS credentials; Kubernetes service account tokens; Docker secrets (/run/secrets/); Cryptocurrency wallets.
The Kubernetes spreading logic _lk checks for a Kubernetes service account token, which is present inside pods mounted in a cluster, then uses the service account to authenticate with the Kubernetes management API to enumerate namespaces and pods in the cluster.
Analyzing this script led us to discover a full framework dedicated to cloud credential harvesting and propagating onto other systems... This portion of the infection targets environment variables, config files, SSH keys, Docker secrets, Kubernetes tokens...
The script runs commands against each container to: Extract credentials from a list of file names and paths associated with secret stores; Harvest SSH private keys; Query the AWS Instance Metadata Service (IMDS); this works only in environments where IMDSv2 is not strictly enforced.
then kills TeamPCP processes and removes TeamPCP artifacts before harvesting npm, GitHub, and cloud credentials.
Discovery
4 techniquescloud_scan.py ... scans external cloud services and attempts to propagate by looking for ports indicating exposed Docker, Kubernetes, MongoDB, RayML, or Redis services. When a target responds on a matching port, cloud_scan.py scans the entire /24 subnet for the responding IP.
PCPJack... then kills TeamPCP processes and removes TeamPCP artifacts before harvesting npm, GitHub, and cloud credentials.
PCPJack, a cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB, and RayML services...
The Kubernetes spreading logic _lk ... uses the service account to authenticate with the Kubernetes management API to enumerate namespaces and pods in the cluster. The Docker propagation function _ld ... lists all running containers.
Lateral Movement
5 techniquesOnce inside, the worm harvests SSH keys and moves laterally by enumerating Kubernetes clusters and Docker daemons, then replicating itself to every reachable host.
The SSH propagation module _ls searches SSH key store locations ... parses ~/.ssh/known_hosts, ~/.ssh/config, and .bash_history for username and host combinations ... These combinations are tried against any hosts running SSH. On access, it runs bootstrap.sh on the remote machine to propagate the worm.
The cloud_ranges.py module ... collects a list of IP addresses assigned to AWS, Azure, Cloudflare, Cloudfront, Fastly, and Google Cloud Platform (GCP) ... cloud_scan.py scans external cloud services and attempts to propagate.
Infections start when already-infected systems look for exposed services, including Docker, Kubernetes, Redis, MongoDB, and RayML, as well as exposed web applications. Once it finds a vulnerable environment, it runs a shell script on the target system...
On access, it runs bootstrap.sh on the remote machine to propagate the worm.
Collection
1 techniqueResearchers also noted that the malware exfiltrates data to Telegram after encrypting it and splitting it into small chunks to fit message limits.
Command and Control
2 techniquesbootstrap.sh sets several key variables, including PAYLOAD_HOST ... The main functionality of bootstrap.sh is ... Download six Python modules from the attacker’s S3 URL ... RUN downloads a module from the attacker’s payload storage, saves it as run_script.py, and executes the script.
SentinelOne’s analysis also uncovered a Sliver-based backdoor on the attacker’s staging server, compiled in three variants to support x86_64, x86, and ARM system architectures. This backdoor grants the operator persistent remote access even after initial exploitation ends.
Exfiltration
3 techniquesIt is called by monitor.py to exfiltrate the encrypted data before it is sent to the attacker’s Telegram channel ... The script then exfiltrates stolen data to hxxps://cdn[.]cloudfront-js[.]com:8443/u.
Researchers also noted that the malware exfiltrates data to Telegram after encrypting it and splitting it into small chunks to fit message limits.
It then encrypts all stolen data using X25519 ECDH and ChaCha20-Poly1305 before sending it to a Telegram channel, broken into small chunks to comply with message size limits.
Impact
1 techniqueThat part of the infection downloads the worm itself, along with modules to enable lateral movement, parse credentials and encrypt them for exfiltration...
IOCs tracked for this family
37 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Linux-focused malware/toolset used to gain initial access and harvest credentials from compromised servers; the recovered infrastructure suggests it feeds a Sliver beacon pool used for follow-on proxy deployment.
Credential-stealing malware framework targeting exposed cloud environments. It uses a Linux shell script to create a hidden workspace, install Python dependencies, download modules, establish persistence, launch an orchestrator, remove TeamPCP artifacts, exfiltrate encrypted data to Telegram, and spread laterally by targeting exposed services and vulnerable web applications.
A cloud worm that scans for exposed services, exploits multiple vulnerabilities for initial access, removes competing TeamPCP artifacts, and harvests npm, GitHub, and cloud credentials.
PCPJack is a cloud-focused malware framework with worm-like propagation that steals credentials and secrets from cloud, container, developer, productivity, financial, and messaging services. It spreads by scanning for exposed services such as Docker, Kubernetes, Redis, MongoDB, and RayML, exploits multiple public vulnerabilities, harvests credentials, moves laterally via SSH/Kubernetes/Docker, encrypts stolen data, and exfiltrates it through attacker-controlled infrastructure and Telegram.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.