PCPJack Worm Targets Docker, Kubernetes, Redis, MongoDB for Credential Theft
Key Takeaways A novel malware framework, dubbed PCPJack, is actively targeting cloud infrastructure, specifically Docker, Kubernetes, Redis, and MongoDB instances, to steal credentials. PCPJack...
Key Takeaways
- A novel malware framework, dubbed PCPJack, is actively targeting cloud infrastructure, specifically Docker, Kubernetes, Redis, and MongoDB instances, to steal credentials.
- PCPJack distinguishes itself by focusing solely on credential theft and lateral movement, eschewing cryptocurrency mining, and notably removes rival malware (TeamPCP) from compromised systems.
- The worm propagates by exploiting five known vulnerabilities and employs a multi-module infection chain, including a persistent Sliver backdoor, to exfiltrate a broad array of sensitive data.
- Organizations with exposed cloud services are at high risk; immediate patching, robust authentication, and adherence to least-privilege principles are critical for defense.
A sophisticated new threat, the PCPJack worm, has emerged, actively compromising cloud environments to harvest sensitive credentials. This malware framework specifically targets widely used services such as Docker, Kubernetes, Redis, and MongoDB, leveraging misconfigurations and known vulnerabilities to establish a foothold and steal data at scale. Unlike many cloud-focused threats, PCPJack notably bypasses cryptocurrency mining, suggesting a strategic focus on credential acquisition for other illicit gains, such as financial fraud or further network exploitation.
Table Of Content
The infection begins with a shell script named bootstrap.sh, which silently executes on Linux-based cloud systems. This script prepares the environment, installs Python, downloads and deploys six specialized modules, establishes persistence mechanisms, and then launches the main orchestrator component. A distinctive characteristic of PCPJack is its proactive identification and removal of artifacts associated with a competing threat group, TeamPCP, effectively taking over systems already compromised by others. This aggressive behavior highlights a competitive edge rarely observed among cloud-targeting malware operators.
Researchers at SentinelOne were instrumental in identifying and analyzing PCPJack. According to SentinelOne security researcher Alex Delamotte, the malware’s toolkit is designed to “harvest credentials from cloud, container, developer, productivity, and financial services, then exfiltrate the data through attacker-controlled infrastructure while attempting to spread to additional hosts.” The research team posits that the individual or group behind PCPJack might be a former member of TeamPCP, who subsequently launched their own operation, given the technical similarities observed between the two campaigns.
PCPJack is engineered to collect an extensive range of sensitive information, including SSH keys, Slack tokens, WordPress database credentials, API keys for OpenAI and Anthropic, cloud provider access tokens, and cryptocurrency wallet files. This harvested data is then encrypted using X25519 ECDH and ChaCha20-Poly1305 before being exfiltrated to an attacker-controlled Telegram channel. The exfiltration process segments the stolen data into smaller chunks to adhere to Telegram’s message size limits. The attackers even monitor the success of their TeamPCP cleanup operations, underscoring a deliberate, targeted, and competitive approach rather than a purely opportunistic one.
PCPJack’s Worm-Like Propagation and CVE Exploitation
The propagation mechanism of PCPJack is highly automated and worm-like. It actively scans external cloud infrastructure for vulnerable or exposed services, specifically targeting Docker, Kubernetes, Redis, MongoDB, and RayML deployments. To identify potential victims efficiently, the worm downloads hostname data from Common Crawl parquet files, eliminating the need to hardcode target addresses. This method allows the attackers to scan up to 104 million potential entries per cycle without requiring centralized command and control coordination.
PCPJack exploits five previously disclosed vulnerabilities to gain initial access to new systems. These include:
- CVE-2025-29927: An authentication bypass flaw in Next.js middleware.
- CVE-2025-55182: A server-side deserialization vulnerability in React and Next.js, publicly known as “React2Shell.”
- CVE-2026-1357: An unauthenticated file upload vulnerability affecting the WPVivid Backup plugin.
- CVE-2025-9501: A PHP injection vulnerability found in the W3 Total Cache plugin.
- CVE-2025-48703: A shell injection issue within the CentOS Web Panel’s Filemanager changePerm functionality.
Once a system is compromised, the worm proceeds to harvest SSH keys and moves laterally within the network. It enumerates Kubernetes clusters and Docker daemons, then replicates itself to every accessible host, further expanding its reach across the environment.
Sliver Backdoor and Enterprise-Wide Credential Targeting
SentinelOne’s investigation also revealed the presence of a Sliver-based backdoor on the attacker’s staging server. This backdoor is compiled in three variants—for x86_64, x86, and ARM architectures—to ensure broad compatibility. The Sliver backdoor provides the attackers with persistent remote access to compromised systems, even after the initial exploitation vectors may have been mitigated.
To maintain stealth, these backdoor binaries are saved locally with names such as update.bin, update-386.bin, and update-arm.bin. These names are chosen to mimic legitimate system maintenance files, thereby reducing the likelihood of immediate detection.
Beyond core cloud infrastructure, PCPJack extends its targeting to a wide array of messaging platforms, financial services, and enterprise productivity tools. The malware actively scans for credentials related to services including Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password. This broad scope of credential targeting indicates that the ultimate goals of the attackers likely involve extortion, large-scale spam campaigns, or the lucrative resale of stolen credentials on underground markets.
What You Should Do
- Patch Immediately: Ensure all systems and applications, especially those exposed to the internet like Docker, Kubernetes, Redis, MongoDB, Next.js, React, WPVivid Backup, W3 Total Cache, and CentOS Web Panel, are updated with the latest security patches to address known vulnerabilities, including CVE-2025-29927, CVE-2025-55182, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703.
- Enforce Multi-Factor Authentication (MFA): Implement MFA across all cloud accounts, services, and critical applications to add an essential layer of security, making credential theft significantly harder to exploit.
- Secure Cloud Metadata Services: For AWS environments, configure and enforce the use of Instance Metadata Service Version 2 (IMDSv2) to prevent unauthorized access to instance metadata, which can contain sensitive credentials.
- Strengthen API Security: Ensure proper authentication and authorization mechanisms are strictly enforced for all Docker and Kubernetes API endpoints, preventing unauthorized access and control.
- Implement Least Privilege: Adhere to the principle of least privilege for all users, services, and applications. Grant only the minimum necessary permissions required for operations to limit potential damage from a compromise.
- Avoid Plaintext Secrets: Never store sensitive credentials, API keys, or tokens in plaintext within code, configuration files, or environment variables. Utilize secure secret management solutions (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) for storing and accessing sensitive data.
- Regularly Audit Configurations: Conduct frequent security audits of environment variables, configuration files, and cloud service settings to identify and rectify any exposed sensitive data or misconfigurations.
- Monitor for IoCs: Implement continuous monitoring for the Indicators of Compromise (IoCs) provided by SentinelOne and other threat intelligence sources, including the specified URLs, file names, and directories, to detect and respond to potential PCPJack infections.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.