#cloudworm

Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said in a report.

The Target: Cloud Infrastructure at Scale

PCPJack is specifically designed to target cloud services like:

- Docker: Container orchestration platforms - Kubernetes: Cluster management systems - Redis: In-memory data stores - MongoDB: NoSQL databases - RayML: Machine learning frameworks - Vulnerable web applications: Exposed admin panels and APIs

This targeting allows the operators to spread in a worm-like fashion and move laterally within compromised networks.

The Endgame: Credential Monetization

It's assessed that the end goal of the cloud attack campaign is to generate illicit revenue for the threat actors through:

- Credential theft: Selling access to compromised cloud accounts - Fraud: Using stolen credentials for financial scams - Spam: Leveraging compromised infrastructure for mass mailing - Extortion: Ransoming access or threatening data leaks - Resale: Selling stolen access on dark web markets

What makes this activity notable is that it lacks a cryptocurrency mining component, unlike TeamPCP. While it's not known why this obvious monetization strategy was not adopted, the similarities between the two clusters indicate that PCPJack could be the work of a former member of TeamPCP who is familiar with the group's tradecraft.

The Attack Chain: Six Python Payloads

The starting point of the attack is a bootstrap shell script that prepares the environment, downloads next-stage tooling, and simultaneously takes steps to infect its own infrastructure, terminate TeamPCP artifacts, install Python, establish persistence, download six Python scripts, launch the orchestration script, and remove itself.

The six Python payloads are:

1. worm.py (monitor.py)

The main orchestrator that:

- Launches purpose-built modules - Conducts local credential theft - Propagates the toolset to other hosts by exploiting known flaws (CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703) - Uses Telegram for command-and-control (C2) 2. parser.py (utils.py)

Handles credential extraction to categorize stolen keys and secrets.

3. lateral.py (_lat.py)

Facilitates reconnaissance, harvests secrets, and enables lateral movement across:

- SSH - Kubernetes - Docker - Redis - RayML - MongoDB 4. crypto_util.py (_cu.py)

Encrypts credentials before exfiltration to the attacker's Telegram channel.

5. cloud_ranges.py (_cr.py)

Collects IP address ranges assigned to:

- Amazon Web Services (AWS) - Google Cloud - Microsoft Azure - Cloudflare - Cloudfront - Fastly

The data is refreshed every 24 hours to maintain an up-to-date target list.

6. cloud_scan.py (_csc.py)

Runs cloud port scanning for external propagation via Docker, Kubernetes, MongoDB, RayML, or Redis services.

The Data Source: Common Crawl

Propagation targets for the orchestrator script come from parquet files that the worm pulls directly from Common Crawl, a non-profit that crawls the web and provides its archives and datasets to the public at no extra cost.

This is a brilliant (and sinister) innovation: instead of scanning randomly, the worm uses pre-indexed internet-wide scan data to find exposed cloud infrastructure efficiently.

The TeamPCP Connection: A Splinter Group?

What makes PCPJack particularly interesting is its relationship with TeamPCP, a threat actor that rose to prominence late last year by exploiting known security vulnerabilities and misconfigurations in cloud services.

Key observations:

- Significant targeting overlaps: Same cloud services, same vulnerabilities - Active eviction: PCPJack removes TeamPCP artifacts from compromised environments - "PCP replaced" metrics: The operator tracks whether TeamPCP has been evicted and reports this to C2 - No cryptocurrency mining: Unlike TeamPCP, PCPJack doesn't deploy miners - Well-defined crypto credential scopes: Despite no mining, the worm specifically targets cryptocurrency-related credentials

SentinelOne notes: "When exfiltrating system information and credentials, the PCPJack operator even collects success metrics on whether TeamPCP has been evicted from targeted environments in a 'PCP replaced' field sent to the C2. This implies a direct focus on the threat actor's activities rather than pure cloud attack opportunism."

The assessment: PCPJack could be the work of a former member of TeamPCP who is familiar with the group's tradecraft and is now competing directly with their former associates.

Additional Infrastructure: Sliver C2 Framework

Further analysis has uncovered another shell script ("check.sh") that:

- Detects the CPU architecture - Fetches the appropriate Sliver binary (an open-source C2 framework) - Scans Instance Metadata Service (IMDS) endpoints - Scans Kubernetes service accounts - Scans Docker instances for credentials

Targeted credentials include those associated with:

- Anthropic - Digital Ocean - Discord - Google API - Grafana Cloud - HashiCorp Vault - OnePassword - OpenAI

These credentials are transmitted to an external server for monetization.

Reflection: The Industrialization of Cloud Crime

1. The Worm-Like Propagation Model

PCPJack represents the evolution of cloud attacks from "manual intrusion" to "automated epidemic." By exploiting known CVEs and using Common Crawl data for target selection, the worm can spread exponentially without human intervention.

This is the cloud equivalent of the Mirai botnet—but instead of IoT cameras, it's infecting cloud infrastructure. The implications are staggering:

- Speed: Thousands of systems can be compromised in hours - Scale: No manual effort required per victim - Resilience: Decentralized, worm-like spread makes takedown difficult 2. The Common Crawl Weaponization

Using Common Crawl for target selection is ingenious. Common Crawl provides:

- Comprehensive coverage: Billions of web pages indexed - Free access: No cost to the attacker - Regular updates: Fresh data constantly available - Legitimacy: It's a respected research resource, not a hacker tool

This turns a public good into a weapon. The attackers don't need to scan the internet themselves (which would be slow and noisy). They just download the pre-scanned data and attack the exposed services.

3. The Gang Civil War

The PCPJack vs. TeamPCP dynamic suggests a cybercriminal civil war. A former member (or faction) has split off and is now actively evicting their former associates from compromised infrastructure.

This is unprecedented in cloud crime. We've seen ransomware gangs compete, but not actively evict each other from victims. The "PCP replaced" metric sent to C2 implies:

- Territorial disputes: Cloud infrastructure as "turf" - Scorekeeping: Tracking eviction success as a metric - Resource competition: Fighting over the same victim pool

For defenders, this is both good and bad news:

- Good: Attackers are distracted by infighting - Bad: The competition drives innovation in attack techniques 4. The Telegram C2 Standard

PCPJack uses Telegram for command-and-control, continuing a trend we've seen across multiple campaigns. Telegram offers:

- Legitimate traffic: Telegram API calls blend with normal usage - Encryption: Built-in TLS makes inspection difficult - Resilience: Hard to take down (decentralized infrastructure) - Ease of use: Simple bot API for C2 commands

For security teams, blocking Telegram is not feasible (it's a legitimate communication platform). This means behavioral detection is the only option.

5. The Absence of Mining

PCPJack's lack of cryptocurrency mining is puzzling. Cryptojacking is:

- Easy to deploy: Miners are readily available - Passive income: Earns money without additional victim interaction - Low risk: Mining itself isn't illegal (using stolen compute is, but hard to trace)

The fact that PCPJack avoids mining but specifically targets cryptocurrency credentials suggests:

- Higher-value targets: Stealing crypto wallets is more profitable than mining - Operational security: Mining creates noticeable CPU load, increasing detection risk - Specialization: The operators focus on credential theft, leaving mining to others

Lessons for Cloud Security Teams

1. Assume Exposure

If your cloud infrastructure is internet-accessible, it's on Common Crawl. If it's on Common Crawl, PCPJack (or something like it) will find it. The question is not if you'll be scanned, but when.

2. Patch the Five CVEs

PCPJack exploits five known vulnerabilities:

- CVE-2025-55182 - CVE-2025-29927 - CVE-2026-1357 - CVE-2025-9501 - CVE-2025-48703

If you haven't patched these, you're low-hanging fruit.

3. Segment and Isolate

Cloud services should never be directly internet-accessible unless absolutely necessary:

- Use VPCs and private subnets - Implement strict security groups - Require authentication for all services (even Redis, MongoDB) - Use bastion hosts for administrative access 4. Monitor for Worm Behavior

Watch for:

- Unexpected outbound connections to Telegram APIs - Rapid scanning activity from cloud instances - Python processes spawning in containers - Unknown scripts in /tmp or /var/tmp - Credential files being accessed en masse 5. Rotate Cloud Credentials

If you suspect compromise:

- Rotate all API keys and access tokens - Revoke and reissue service account credentials - Audit IAM policies for unauthorized changes - Check for unknown enrolled devices or services

Conclusion

PCPJack represents the industrialization of cloud credential theft. It's not a targeted intrusion—it's a cloud epidemic, spreading automatically across exposed infrastructure, evicting competitors, and harvesting credentials at scale.

The use of Common Crawl for target selection, Telegram for C2, and a modular Python architecture shows a level of sophistication that belies the "script kiddie" stereotype of cloud attackers. This is professional-grade cybercrime, optimized for scale and efficiency.