PCPJack Malware Targets Cloud Secrets, Erases Rival Infections

A new worm known as PCPJack is spreading across cloud environments to steal credentials and remove traces of a rival malware called TeamPCP ^[1].

This shift represents a tactical evolution in cloud-based attacks, as the new malware specifically targets the artifacts of its predecessor to dominate infected systems. By eliminating competing threats, PCPJack ensures it has exclusive access to harvested secrets and reduces the noise that might alert security teams.

The malware targets a wide array of cloud platforms and services globally, including Docker, Kubernetes, Redis, MongoDB, and RayML [4, 5]. To identify high-value targets, the worm utilizes parquet files for discovery, a method that allows it to efficiently scan for sensitive data within cloud storage.

Security researchers said that PCPJack exploits five different common vulnerabilities and exposures (CVEs) to gain entry and propagate ^[5]. Once inside a system, the worm employs six specific Python modules to facilitate the theft of cloud credentials and secrets ^[5].

Beyond its primary goal of data theft, the malware actively cleans the environment of TeamPCP infections ^[3]. This aggressive replacement strategy suggests a high level of coordination among the attackers, who are prioritizing the removal of rival tools to maintain a persistent foothold in the victim's infrastructure.

Analysts said the primary motivation behind the campaign is to harvest cloud credentials to fuel fraud-driven attacks [1, 5]. The breadth of the attack surface—spanning six distinct cloud services ^[4]—highlights the vulnerability of interconnected cloud ecosystems to worm-like propagation.