Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Kratos PhaaS Attacks Microsoft 365 Users to Steal Credentials
July 16, 2026
Critical Zoom Windows Flient Flaw Lets Attackers Take Over Accounts via Network
July 16, 2026
TuxBot v3 IoT Botnet Hijacks Devices, Launches DDoS Attacks with LLM Code
July 16, 2026
Home/Threats/PCPJack Worm Targets Docker, Kubernetes, Redis, MongoDB for Credential Theft
Threats

PCPJack Worm Targets Docker, Kubernetes, Redis, MongoDB for Credential Theft

Key Takeaways A novel malware framework, dubbed PCPJack, is actively targeting cloud infrastructure, specifically Docker, Kubernetes, Redis, and MongoDB instances, to steal credentials. PCPJack...

Sarah simpson
Sarah simpson
May 8, 2026 5 Min Read
54 0

Key Takeaways

  • A novel malware framework, dubbed PCPJack, is actively targeting cloud infrastructure, specifically Docker, Kubernetes, Redis, and MongoDB instances, to steal credentials.
  • PCPJack distinguishes itself by focusing solely on credential theft and lateral movement, eschewing cryptocurrency mining, and notably removes rival malware (TeamPCP) from compromised systems.
  • The worm propagates by exploiting five known vulnerabilities and employs a multi-module infection chain, including a persistent Sliver backdoor, to exfiltrate a broad array of sensitive data.
  • Organizations with exposed cloud services are at high risk; immediate patching, robust authentication, and adherence to least-privilege principles are critical for defense.

A sophisticated new threat, the PCPJack worm, has emerged, actively compromising cloud environments to harvest sensitive credentials. This malware framework specifically targets widely used services such as Docker, Kubernetes, Redis, and MongoDB, leveraging misconfigurations and known vulnerabilities to establish a foothold and steal data at scale. Unlike many cloud-focused threats, PCPJack notably bypasses cryptocurrency mining, suggesting a strategic focus on credential acquisition for other illicit gains, such as financial fraud or further network exploitation.

Table Of Content

  • Key Takeaways
  • PCPJack’s Worm-Like Propagation and CVE Exploitation
  • Sliver Backdoor and Enterprise-Wide Credential Targeting
  • What You Should Do

The infection begins with a shell script named bootstrap.sh, which silently executes on Linux-based cloud systems. This script prepares the environment, installs Python, downloads and deploys six specialized modules, establishes persistence mechanisms, and then launches the main orchestrator component. A distinctive characteristic of PCPJack is its proactive identification and removal of artifacts associated with a competing threat group, TeamPCP, effectively taking over systems already compromised by others. This aggressive behavior highlights a competitive edge rarely observed among cloud-targeting malware operators.

Researchers at SentinelOne were instrumental in identifying and analyzing PCPJack. According to SentinelOne security researcher Alex Delamotte, the malware’s toolkit is designed to “harvest credentials from cloud, container, developer, productivity, and financial services, then exfiltrate the data through attacker-controlled infrastructure while attempting to spread to additional hosts.” The research team posits that the individual or group behind PCPJack might be a former member of TeamPCP, who subsequently launched their own operation, given the technical similarities observed between the two campaigns.

PCPJack is engineered to collect an extensive range of sensitive information, including SSH keys, Slack tokens, WordPress database credentials, API keys for OpenAI and Anthropic, cloud provider access tokens, and cryptocurrency wallet files. This harvested data is then encrypted using X25519 ECDH and ChaCha20-Poly1305 before being exfiltrated to an attacker-controlled Telegram channel. The exfiltration process segments the stolen data into smaller chunks to adhere to Telegram’s message size limits. The attackers even monitor the success of their TeamPCP cleanup operations, underscoring a deliberate, targeted, and competitive approach rather than a purely opportunistic one.

PCPJack’s Worm-Like Propagation and CVE Exploitation

The propagation mechanism of PCPJack is highly automated and worm-like. It actively scans external cloud infrastructure for vulnerable or exposed services, specifically targeting Docker, Kubernetes, Redis, MongoDB, and RayML deployments. To identify potential victims efficiently, the worm downloads hostname data from Common Crawl parquet files, eliminating the need to hardcode target addresses. This method allows the attackers to scan up to 104 million potential entries per cycle without requiring centralized command and control coordination.

PCPJack exploits five previously disclosed vulnerabilities to gain initial access to new systems. These include:

  • CVE-2025-29927: An authentication bypass flaw in Next.js middleware.
  • CVE-2025-55182: A server-side deserialization vulnerability in React and Next.js, publicly known as “React2Shell.”
  • CVE-2026-1357: An unauthenticated file upload vulnerability affecting the WPVivid Backup plugin.
  • CVE-2025-9501: A PHP injection vulnerability found in the W3 Total Cache plugin.
  • CVE-2025-48703: A shell injection issue within the CentOS Web Panel’s Filemanager changePerm functionality.

Once a system is compromised, the worm proceeds to harvest SSH keys and moves laterally within the network. It enumerates Kubernetes clusters and Docker daemons, then replicates itself to every accessible host, further expanding its reach across the environment.

Sliver Backdoor and Enterprise-Wide Credential Targeting

SentinelOne’s investigation also revealed the presence of a Sliver-based backdoor on the attacker’s staging server. This backdoor is compiled in three variants—for x86_64, x86, and ARM architectures—to ensure broad compatibility. The Sliver backdoor provides the attackers with persistent remote access to compromised systems, even after the initial exploitation vectors may have been mitigated.

To maintain stealth, these backdoor binaries are saved locally with names such as update.bin, update-386.bin, and update-arm.bin. These names are chosen to mimic legitimate system maintenance files, thereby reducing the likelihood of immediate detection.

Beyond core cloud infrastructure, PCPJack extends its targeting to a wide array of messaging platforms, financial services, and enterprise productivity tools. The malware actively scans for credentials related to services including Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password. This broad scope of credential targeting indicates that the ultimate goals of the attackers likely involve extortion, large-scale spam campaigns, or the lucrative resale of stolen credentials on underground markets.

What You Should Do

  • Patch Immediately: Ensure all systems and applications, especially those exposed to the internet like Docker, Kubernetes, Redis, MongoDB, Next.js, React, WPVivid Backup, W3 Total Cache, and CentOS Web Panel, are updated with the latest security patches to address known vulnerabilities, including CVE-2025-29927, CVE-2025-55182, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703.
  • Enforce Multi-Factor Authentication (MFA): Implement MFA across all cloud accounts, services, and critical applications to add an essential layer of security, making credential theft significantly harder to exploit.
  • Secure Cloud Metadata Services: For AWS environments, configure and enforce the use of Instance Metadata Service Version 2 (IMDSv2) to prevent unauthorized access to instance metadata, which can contain sensitive credentials.
  • Strengthen API Security: Ensure proper authentication and authorization mechanisms are strictly enforced for all Docker and Kubernetes API endpoints, preventing unauthorized access and control.
  • Implement Least Privilege: Adhere to the principle of least privilege for all users, services, and applications. Grant only the minimum necessary permissions required for operations to limit potential damage from a compromise.
  • Avoid Plaintext Secrets: Never store sensitive credentials, API keys, or tokens in plaintext within code, configuration files, or environment variables. Utilize secure secret management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) for storing and accessing sensitive data.
  • Regularly Audit Configurations: Conduct frequent security audits of environment variables, configuration files, and cloud service settings to identify and rectify any exposed sensitive data or misconfigurations.
  • Monitor for IoCs: Implement continuous monitoring for the Indicators of Compromise (IoCs) provided by SentinelOne and other threat intelligence sources, including the specified URLs, file names, and directories, to detect and respond to potential PCPJack infections.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitMalwareSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

NWHStealer malware uses Bun Loader, anti-VM checks, encrypted C2

Next Post

RansomHouse Claims Trellix Source Code Access After Breach

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Multiple Critical Splunk Enterprise Vulnerabilities Allow Path Traversal, Info Disclosure
July 16, 2026
F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
July 16, 2026
Critical MacSync Stealer Delivered via Google Ads and Claude AI Chats
July 15, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us