Why the PCPJack Worm's 'Cleaning' Strategy Changes Cloud Security in 2026
pcpjackteampcpcybersecuritycloud securitymalwarecredential theftcloud infrastructuredockerkubernetesawsgoogle cloudazure

Why the PCPJack Worm's 'Cleaning' Strategy Changes Cloud Security in 2026

By Daniel MarshMay 7, 2026

The Cloud's New Predator: Why PCPJack's 'Cleaning' Strategy Changes Everything

You'd think a new PCPJack worm targeting cloud infrastructure would be just another day in the office. But PCPJack isn't just another credential stealer; it's actively removing other malware, specifically TeamPCP. That's not just a technical detail; it's a strategic move that tells us something important about the evolving cloud threat landscape.

On platforms like Reddit, especially r/SecOpsDaily, I've seen a lot of discussion about this. People are rightly concerned about a new cloud worm, but the 'turf war' aspect is what really grabs attention. It's unusual, and it makes you wonder about the motivations behind it.

The Incident: The PCPJack Worm's Cloud Turf War

Today, May 7, 2026, we're looking at the PCPJack worm, a new credential theft framework that's spreading like a worm across exposed cloud systems. Its main goal is to steal credentials for illicit revenue – think fraud, spam, extortion, or just selling access. What makes the PCPJack worm stand out, though, is its aggressive behavior towards other malware. It actively seeks out and removes TeamPCP infections, even reporting "PCP replaced" metrics back to its command-and-control (C2) server.

The mainstream narrative, backed by research from sources like Vertex AI Search, points to the PCPJack worm targeting Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. It's going after cloud services like AWS, Google Cloud, and Azure, and it's specifically harvesting credentials from services like Anthropic, Digital Ocean, Discord, Google API, Grafana Cloud, HashiCorp Vault, OnePassword, and OpenAI. The hypothesis floating around, and one I lean towards, is that the PCPJack worm might be the work of a former TeamPCP member or affiliate. The overlap in targets and the intimate knowledge of TeamPCP's operational methods are too significant to ignore.

How the PCPJack Worm Takes Over Your Cloud

The attack chain for the PCPJack worm is methodical. It starts with initial access via a bootstrap shell script. This script is the workhorse, setting up the environment for the main payload.

Here's how it goes down:

  1. Initial Foothold: The bootstrap.sh script gets executed. This script is designed to prepare the compromised host.
  2. Environment Setup: It configures the payload host, downloads the next-stage tooling, and even infects its own infrastructure to ensure resilience.
  3. The 'Cleaning' Operation: This is where the turf war gets real. The script actively terminates and removes any processes or artifacts associated with TeamPCP infections. It's not just avoiding conflict; it's asserting dominance.
  4. Persistence and Tooling: It installs Python, establishes persistence on the system, and then downloads six Python scripts that form the core of PCPJack's capabilities. After all that, the bootstrap script removes itself to cover its tracks.

Those six Python scripts are where the real damage happens:

  • worm.py (often disguised as monitor.py): This is the main orchestrator. It handles local credential theft and, more critically, propagates the entire toolset to other hosts. It does this by exploiting known vulnerabilities, including CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703. Its C2 communication happens over Telegram.
  • parser.py (seen as utils.py): This script is all about credential extraction, sorting stolen keys and secrets into categories.
  • lateral.py (named _lat.py): This one handles reconnaissance, harvests more secrets, and enables lateral movement across SSH, Kubernetes, Docker, Redis, RayML, and MongoDB services.
  • crypto_util.py (or _cu.py): Before exfiltration, this script encrypts all the stolen credentials using X25519 ECDH and ChaCha20-Poly1305. The encrypted data then goes to the attacker's Telegram channel.
  • cloud_ranges.py (as _cr.py): This script collects IP address ranges for major cloud providers like AWS, Google Cloud, Microsoft Azure, and CDNs like Cloudflare, Cloudfront, and Fastly. It refreshes this data every 24 hours, keeping its target list current.
  • cloud_scan.py (often _csc.py): This script uses the collected IP ranges to run cloud port scans, looking for external propagation opportunities via Docker, Kubernetes, MongoDB, RayML, or Redis services.

The PCPJack worm doesn't just scan random IPs; it pulls propagation targets directly from Parquet files found in Common Crawl data. This shows a level of sophistication in target selection. On top of the Python scripts, an additional shell script, check.sh, detects CPU architecture to fetch the appropriate Sliver binary. It then scans Instance Metadata Service (IMDS) endpoints, Kubernetes service accounts, and Docker instances for credentials, transmitting them to an external server.

Beyond the Headlines: What the PCPJack Worm's 'Turf War' Really Means

The 'turf war' between the PCPJack worm and TeamPCP is more than just two malware families fighting for resources. It's a signal. TeamPCP gained prominence late last year by exploiting vulnerabilities like React2Shell and various misconfigurations, often including a cryptocurrency mining component. The PCPJack worm, while sharing significant target overlaps, explicitly removes these mining functions and focuses solely on credential theft.

A successor is a strategic evolution. TeamPCP often weaponized security tools like Trivy, Checkmarx KICS, and LiteLLM for its supply chain attacks. The PCPJack worm, on the other hand, relies on direct exploitation of known CVEs and a more targeted approach using Common Crawl data for propagation. Its use of strong encryption (X25519 ECDH and ChaCha20-Poly1305) for exfiltration to Telegram also points to a more professional, security-conscious operation.

The practical impact for us defenders is clear: this competition means threat actors are vying for control over compromised cloud resources. The PCPJack worm's 'cleaning' behavior suggests a desire for exclusive access, which could mean more focused, persistent, and potentially more damaging attacks from a single actor. It's about maximizing illicit revenue from stolen credentials, not just opportunistic crypto mining. This shift makes detection and response more complex, as you're not just dealing with an infection, but an active struggle for control on your systems.

Defending Against the PCPJack Worm: The New Cloud Reality

Given the PCPJack worm's capabilities, our defense strategies need to adapt. Effective defense isn't just about patching; it's about understanding the motivations behind this new breed of cloud malware.

  1. Patch and Update: This is non-negotiable. Prioritize patching the vulnerabilities PCPJack exploits: CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703. Keep all your cloud infrastructure components, web applications, and container orchestration systems updated.
  2. Secure Exposed Infrastructure: Harden your Docker, Kubernetes, Redis, MongoDB, and RayML deployments. This means proper access controls, network segmentation, and minimizing public exposure.
  3. Monitor for Persistence: Keep an eye out for the persistence mechanisms PCPJack uses, like cron jobs or systemd services. Behavioral monitoring can help catch these.
  4. Credential Management: Implement strong credential management practices. This includes multi-factor authentication (MFA) for all cloud services and developer tools, regular rotation of API keys, and least privilege access.
  5. Network Segmentation: Segment your cloud networks to limit lateral movement. If one service gets compromised, it shouldn't give an attacker free rein across your entire environment.
  6. C2 Detection: Monitor network traffic for suspicious C2 activity, especially connections to Telegram. Look for unusual outbound connections from your cloud instances.
  7. Tooling Detection: Implement detection rules for the check.sh script and the presence or execution of Sliver binaries. These are clear indicators of compromise.
  8. Cloud-Native Security: Use cloud-native security tools to continuously scan for misconfigurations, exposed services, and suspicious activity within your cloud environments.

The Bottom Line on the PCPJack Worm

The PCPJack worm isn't just another threat; it signals a shift in cloud cybercrime. This isn't about simple resource competition; it's about control and a more sophisticated approach to cloud exploitation. The fact that the PCPJack worm actively removes other malware tells us that these actors are serious about owning compromised systems and maximizing their illicit gains. We need to move beyond just reacting to new threats and start anticipating the strategic shifts in how cloud resources are targeted and exploited.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.