After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets

СLOUD SECURITY THREAT INTELLIGENCE CYBER RISK APPLICATION SECURITY NEWS After Replacing TeamPCP Malware, 'PCPJack' Steals Cloud Secrets PCPJack makes innovative use of parquet files for stealthy, pre-validated target discovery as it canvasses multiple cloud environments. Nate Nelson,Contributing Writer May 7, 2026 5 Min Read SOURCE: NORTH WIND PICTURE ARCHIVES VIA ALAMY STOCK PHOTO Researchers have spotted a modular cloud worm that will clear you of any infections by the dangerous supply chain attacker "TeamPCP," free of charge. The catch: It wants your secrets. SentinelLabs named the program "PCPJack" in a new blog post, and described it as "well developed" — effective, with a few inexplicable but superficial oddities. Affected organizations stand to lose secrets associated with their cloud, container, developer, productivity, and financial services, unless they implement cloud security best practices, concealing passwords and keys behind vaults and multifactor checks. What to Know About PCPJack In many ways, PCPJack reflects the malware it's built to root out: It scans for open and exploitable cloud services, performs broad sweeps for valuable credentials, then rinses and repeats. Initial entry is managed by a module called "bootstrap." Besides establishing persistence and downloading the malware's other Python modules, it spares no time in searching for and rooting out any processes belonging to TeamPCP. Related:If AI's So Smart, Why Does It Keep Deleting Production Databases? The main orchestrator script, "monitor," runs next and begins collecting system metrics, similar to a benign system monitoring utility. Though this data is of use to the attacker, researchers believe the primary purpose of this scan is to disguise the malware from onlookers. The module then starts stealing local configuration and environment files, and a variety of cloud, container, and cryptocurrency wallets, tokens, and keys. The mass of secrets stolen by monitor.py then passes to a module called "utils," which sorts through and categorizes it. Besides those cloud services already named, PCPJack targets email services — Gmail, Microsoft Outlook, Mailchimp — and other popular, miscellaneous cloud applications — AWS, GitHub, Slack, WordPress — as well as the most widely known names in crypto: currencies like Bitcoin and Ethereum, exchanges like Coinbase and Binance, fintech services like Stripe. As SentinelLabs notes, organizations that conceal their secrets in vaults, require multifactor authentication (MFA) for service accounts, and generally implement good cloud security hygiene can save themselves from the worst of what PCPJack and TeamPCP can do. PCPJack's Best, and Missing, Features PCPJack moves laterally both inside of a network and to other targets. It hacks into exposed cloud services to steal secrets, and steals secrets to hack into more cloud services. The script which handles lateral movement inside of a network, "lat," uses newly stolen secrets to gain access to Kubernetes environments, Docker containers, Redis, remote machines via SSH, and the list goes on. Related:TeamPCP Hits SAP Packages With 'Mini Shai-Hulud' Attack The external propagation logic is more novel. The malware's orchestrator module downloads parquet files from Common Crawl, a nonprofit service popular in data analytics and artificial intelligence (AI) development, which crawls and collects data from the open Web. The malware then scans through this open source (OSS) data for potential targets, and a module called "csc" does the grunt work of exploiting known vulnerabilities to get in. PCPJack also keeps track of which hosts it has already scanned, and prevents multiple instances of itself from scanning the same hosts. "PCPJack's most novel feature is the use of parquet files for finding new targets," says Alex Delamotte, senior threat researcher at SentinelLabs. "The toolset uses Common Crawl's parquet files for less noisy, pre-validated target discovery. Unlike aimless scanning, it filters for hosts with valid HTTP responses and allows operators to customize targeting by overriding the parquet index for targeted attacks. To my knowledge, no other tools have used parquet files like this." Hackers vs. Hackers Threat actors have long built mechanisms into their malware designed to delete other malware infections on targeted systems, or at least "close the door behind them" once their malware is inside. Some kinds of malware — like botnets, and cryptominers — demand significant computing resources, which competing programs can eat away at. Cybercriminals might also not want to share in their good fortunes, or raise the risk of attention from security teams if another program on the same system is being too loud. Related:UNC6692 Combines Social Engineering, Malware, Cloud Abuse PCPJack is different: it doesn't target all other malware more broadly, it targets TeamPCP's tooling specifically. TeamPCP is a high-profile, fast-growing threat group, but it's hardly the Morris worm — even a tool targeting similar services like PCPJack does is unlikely to run into it in the wild very often. This initially led SentinelLabs researchers to wonder if PCPJack was actually deployed by a researcher trying to fight TeamPCP infections. The malware's other payloads quickly dispelled them of that guess. SentinelLabs now speculates that PCPJack might have been created by somebody formerly involved with TeamPCP, who's intimately familiar with its tactics, techniques, and procedures (TTPs). Rivalries aren't rare among cybercriminals, and this theory does square with notable yet inconclusive details of both groups' timelines. On April 19, just before its X account got suspended, TeamPCP made a post that alluded to threat actor "identity theft": Source: SentinelLabs According to Delamotte, evidence from the attacker's infrastructure suggests that the PCPJack campaign began the week of April 20. Unexpectedly, PCPJack contains no cryptomining functionality. In the niche of cloud cybercrime, SentinelLabs wrote, nearly everyone deploys XMRig, or something equivalent, to suck targets of their lucrative computing power. For Delamotte, "The absence of cryptomining suggests the actor prioritizes quick payoffs through stealing credentials and wallets over long-term resource exploitation. While credential and wallet theft require development upfront to automate validation, they provide faster returns than mining, which carries higher detection and eviction risks."   Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management More Webinars You May Also Like СLOUD SECURITY APT41 Delivers 'Zero-Detection' Backdoor to Harvest Cloud Credentials by Elizabeth Montalbano APR 13, 2026 СLOUD SECURITY TeamPCP Turns Cloud Infrastructure Into Crime Bots by Jai Vijayan, Contributing Writer FEB 09, 2026 СLOUD SECURITY The Cloud Edge Is the New Attack Surface by Robert Lemos, Contributing Writer SEP 17, 2025 СLOUD SECURITY Phishing Empire Runs Undetected on Google, Cloudflare by Elizabeth Montalbano, Contributing Writer SEP 04, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS