• Home
  • About
  • Locations
logologologologo
  • Plan
    • vCISO
    • Policies & Procedures
    • Strategy & Security Program Creation
    • Risk Management
  • Attack
    • Penetration Testing
    • PTaaS
    • Red Teaming
    • Web Application Penetration Testing
    • Mobile Application Penetration Testing
    • IOT Penetration Testing
  • Defend
    • Office 365 Security
    • HIPAA Compliance
    • PCI Compliance
    • Code Reviews
    • Blockchain Security Analysis
    • Vulnerability Assessments
  • Recover
    • Ransomware Recovery
    • Expert Witness
    • Forensics
  • Learn
    • Resources
    • Penetration Testing Training
    • Blog
  • Contact Us
  • Instant Quote
✕

PCPJack Malware Targets Cloud Credentials

May 8, 2026

Meta Description

PCPJack malware exploits five CVEs to steal cloud, container, developer, and financial credentials from exposed infrastructure.

Introduction

Cloud infrastructure has become one of the most valuable targets in cybersecurity.

It holds application secrets, deployment tokens, container credentials, Kubernetes service accounts, cloud keys, database passwords, API tokens, developer secrets, and access paths into production environments.

That is why the newly reported PCPJack credential stealer is so concerning.

PCPJack is a credential theft framework designed to compromise exposed cloud infrastructure, steal secrets, and spread in a worm-like manner across vulnerable systems.

Unlike basic infostealers that focus on browser passwords or desktop files, PCPJack is built for cloud environments. It targets services such as Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications.

The campaign also exploits five CVEs:

  • CVE-2025-55182
  • CVE-2025-29927
  • CVE-2026-1357
  • CVE-2025-9501
  • CVE-2025-48703

The objective appears to be financial.

Stolen credentials can be used for fraud, spam, extortion, resale of access, cryptocurrency theft, cloud abuse, and further compromise.

This is not just a malware story.

It is a cloud security warning.

If an organization exposes cloud services, container platforms, databases, or developer systems without proper patching, segmentation, and monitoring, a single vulnerable host can become the starting point for credential theft and lateral movement.

For companies, the message is clear:

Cloud credentials are now primary targets, and exposed infrastructure gives attackers the runway they need.

What Happened

Security researchers disclosed details of PCPJack, a credential theft framework targeting exposed cloud infrastructure.

The malware is designed to harvest credentials from cloud, container, developer, productivity, and financial services. It then exfiltrates stolen data through attacker-controlled infrastructure and attempts to spread to additional hosts.

PCPJack specifically targets environments involving:

  • Docker
  • Kubernetes
  • Redis
  • MongoDB
  • RayML
  • Vulnerable web applications
  • Cloud metadata services
  • Developer systems
  • Containerized workloads
  • Exposed cloud services

The campaign uses a bootstrap shell script to prepare the infected environment.

That script configures the payload host, downloads additional tooling, installs Python where needed, establishes persistence, launches the malware framework, and removes itself after execution.

The toolset includes six Python payload modules. Each module supports part of the operation, including orchestration, credential parsing, lateral movement, encryption, cloud IP range collection, and cloud port scanning.

The malware also pulls propagation targets from public internet-scale datasets. This suggests attackers are using large public data sources to identify possible exposed infrastructure.

PCPJack also appears to remove competing malware artifacts linked to TeamPCP. This suggests competition, overlap, or direct familiarity with previous cloud-focused malware activity.

Why This Issue Is Critical

PCPJack is critical because it targets the systems that hold the keys to modern businesses.

Cloud credentials are often more valuable than a single compromised server.

A stolen AWS key, Kubernetes token, Docker credential, GitHub token, database password, or cloud API key can give attackers access to sensitive systems far beyond the original host.

Once attackers steal cloud credentials, they may be able to:

  • Access production workloads
  • Pull container images
  • Modify Kubernetes deployments
  • Create new cloud resources
  • Exfiltrate databases
  • Abuse compute for spam or fraud
  • Access object storage
  • Retrieve secrets from vaults
  • Move laterally across cloud accounts
  • Disable logging
  • Create persistence
  • Sell access to other criminals
  • Prepare extortion campaigns

The worm-like behavior makes the threat even more serious.

If PCPJack compromises one exposed cloud service, it may scan for additional services, move laterally, and attempt to infect more hosts.

This turns a single misconfigured or unpatched system into a potential cloud-wide incident.

The campaign also matters because it exploits known vulnerabilities.

This is not an unknown zero-day campaign based on the reporting.

The attacker is using known CVEs and cloud misconfigurations to compromise systems that should already have been patched or hardened.

That means the core issue is not only malware.

It is exposure management.

What Caused the Issue

The PCPJack campaign is enabled by a combination of vulnerable cloud services, exposed infrastructure, weak credential hygiene, insufficient segmentation, and poor monitoring.

Several root causes stand out.

Unpatched Vulnerabilities

PCPJack exploits five reported CVEs:

  • CVE-2025-55182
  • CVE-2025-29927
  • CVE-2026-1357
  • CVE-2025-9501
  • CVE-2025-48703

Organizations that have not patched affected systems may be vulnerable to automated exploitation.

Exposed Cloud Services

Publicly reachable Docker, Kubernetes, Redis, MongoDB, RayML, and web application services create an attractive attack surface.

If these services are exposed without strong authentication and network restrictions, attackers can exploit them at scale.

Cloud Metadata Exposure

The malware checks Instance Metadata Service endpoints.

If metadata services are reachable from compromised workloads, attackers may retrieve cloud credentials or instance role tokens.

Credential Sprawl

Cloud environments often contain credentials in environment variables, configuration files, service account tokens, environment files, Docker configs, Kubernetes secrets, and application settings.

PCPJack is designed to find and steal these secrets.

Weak Segmentation

If compromised workloads can reach internal cloud services, databases, container APIs, or metadata endpoints, lateral movement becomes easier.

Insufficient Egress Controls

Malware often succeeds because outbound traffic is allowed freely.

PCPJack uses attacker-controlled infrastructure and Telegram for command-and-control and exfiltration, making outbound monitoring essential.

Poor Asset Visibility

Organizations may not know every exposed service they operate.

Shadow cloud assets, forgotten test environments, and unmanaged developer systems are common attack paths.

How the Attack Chain Works

PCPJack follows a cloud-focused credential theft and propagation chain.

Initial Exposure

The attacker identifies exposed cloud infrastructure.

Targets may include Docker, Kubernetes, Redis, MongoDB, RayML, or vulnerable web applications.

Public internet-scale datasets may help identify exposed services and candidate targets.

Vulnerability Exploitation

The malware exploits known vulnerabilities, including:

  • CVE-2025-55182
  • CVE-2025-29927
  • CVE-2026-1357
  • CVE-2025-9501
  • CVE-2025-48703

The goal is to gain code execution, access, or control over a vulnerable host or service.

Bootstrap Script Execution

A shell script prepares the environment.

It configures payload hosting, downloads next-stage tooling, installs dependencies such as Python where required, removes competing malware artifacts, establishes persistence, and launches the framework.

Python Module Deployment

The framework downloads multiple Python payload modules.

These modules divide the operation into orchestration, credential parsing, lateral movement, encryption, cloud IP range collection, and cloud scanning.

Credential Discovery

PCPJack searches for credentials across cloud, container, developer, productivity, and financial services.

It may target:

  • Cloud API keys
  • Docker credentials
  • Kubernetes service account tokens
  • Redis credentials
  • MongoDB credentials
  • RayML credentials
  • SSH keys
  • Developer secrets
  • API tokens
  • Vault credentials
  • Productivity service credentials
  • Financial service credentials
  • Cryptocurrency-related credentials

Credential Encryption

The malware uses an encryption utility to protect stolen credentials before exfiltration.

This helps prevent interception and makes analysis harder.

Command and Control

PCPJack uses Telegram for command and control.

This allows the operator to receive stolen data, issue commands, and monitor infection status through a widely used communication platform.

Cloud Range Collection

The malware collects IP ranges for major providers and platforms, including AWS, Google Cloud, Microsoft Azure, Cloudflare, CloudFront, and Fastly.

It refreshes this data periodically to support ongoing scanning and propagation.

Lateral Movement

The lateral movement component supports reconnaissance and movement across SSH, Kubernetes, Docker, Redis, MongoDB, and RayML services.

This allows the malware to spread beyond the first compromised host.

External Propagation

The cloud scanning component scans for exposed services and vulnerable systems.

If additional targets are found, the malware attempts to propagate further.

Revenue Generation

Stolen credentials may be monetized through fraud, spam, extortion, resale, cloud abuse, or access brokering.

Why This Incident Matters for Cybersecurity

PCPJack matters because it shows how cloud compromise has become automated, modular, and financially motivated.

Attackers are not manually breaking into one server at a time.

They are building frameworks that can scan, exploit, steal, encrypt, exfiltrate, and spread.

That matters for every organization using cloud infrastructure.

Cloud systems often change quickly. Developers deploy new services. Containers are created and destroyed. Test environments are exposed temporarily. APIs appear before security teams notice. Kubernetes clusters may be misconfigured. Redis and MongoDB may be left reachable. Metadata services may expose credentials.

Attackers thrive in that complexity.

PCPJack is especially dangerous because it focuses on credentials.

A stolen credential can outlive the initial infection.

Even if the malware is removed, exposed keys and tokens may still allow attackers to return.

That is why cloud incidents require more than malware cleanup.

They require credential rotation, access review, log analysis, workload validation, cloud control plane investigation, and long-term monitoring.

This campaign also highlights a major business risk:

Cloud compromises can become expensive quickly.

Attackers may create resources, run spam infrastructure, access sensitive data, steal intellectual property, deploy malware, or move into customer-facing systems.

The damage can be technical, financial, legal, and reputational.

Common Risks Highlighted by the Incident

PCPJack highlights several risks that organizations must address.

Cloud Credential Theft

Cloud keys, API tokens, service account credentials, and container secrets are high-value targets.

If stolen, they can provide access far beyond the compromised host.

Exposed Services

Publicly reachable Docker, Kubernetes, Redis, MongoDB, RayML, and web applications increase attack surface.

Known CVE Exploitation

The campaign uses known vulnerabilities, meaning patch delays directly increase exposure.

Worm-Like Propagation

PCPJack can scan and spread to additional hosts, turning one compromise into many.

Telegram Command and Control

Use of legitimate platforms for command and control can make blocking and detection more difficult.

Cloud Metadata Abuse

Instance metadata services may expose temporary credentials if improperly protected.

Container Escape Pathways

A compromised containerized workload may expose secrets, service tokens, or orchestration access.

Lateral Movement

The malware includes a dedicated component for lateral movement across cloud and container services.

Competing Malware Eviction

PCPJack removes artifacts linked to competing malware activity, showing that compromised cloud environments may host multiple threat actors.

Credential Persistence

Even after malware removal, stolen secrets may remain valid unless rotated.

Potential Impact on Organizations

The impact of PCPJack can be severe.

Organizations may face:

  • Cloud credential theft
  • Kubernetes compromise
  • Docker environment compromise
  • Redis and MongoDB data exposure
  • RayML service abuse
  • SSH credential theft
  • Developer secret exposure
  • Cloud account takeover
  • Unauthorized resource creation
  • Data exfiltration
  • Fraud and spam abuse
  • Cryptocurrency theft
  • Extortion pressure
  • Source code exposure
  • Service disruption
  • Lateral movement across cloud workloads
  • Compliance and regulatory risk
  • Incident response costs
  • Customer trust damage

The impact is especially serious for organizations with cloud-native environments.

A compromised Kubernetes token may allow attackers to inspect workloads, pull secrets, deploy containers, or manipulate services.

A stolen AWS key may allow access to storage, compute, databases, or identity resources.

A stolen Docker credential may expose private container images or deployment pipelines.

A stolen MongoDB credential may expose business data directly.

The original compromised host may be only the beginning.

What Organisations Should Do Now

Organizations should treat PCPJack as a cloud exposure and credential theft threat.

Recommended actions include:

  • Identify exposed Docker, Kubernetes, Redis, MongoDB, RayML, and web application services
  • Patch systems affected by CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703
  • Restrict public access to cloud services that should not be internet-facing
  • Require strong authentication for all cloud and container services
  • Review Kubernetes service account permissions
  • Rotate exposed cloud credentials
  • Rotate Docker registry credentials
  • Rotate Kubernetes tokens and secrets where compromise is suspected
  • Rotate database passwords and API keys
  • Review cloud metadata service access controls
  • Enforce stronger metadata protection where applicable
  • Search for suspicious Python scripts and unusual Python-based execution on servers
  • Hunt for unexpected Telegram traffic from cloud workloads
  • Review outbound traffic from containers and servers
  • Monitor for scanning behavior from internal hosts
  • Review cloud audit logs for unusual API activity
  • Inspect workloads for persistence mechanisms
  • Investigate signs of competing malware artifact removal
  • Run cloud-focused threat hunting across exposed environments

Organizations should also take credential theft seriously even if the malware is removed.

If PCPJack ran on a system, assume secrets may have been stolen.

Rotate first.

Investigate fully.

Then restore trust.

Detection and Monitoring Strategies

Detection should focus on exploitation, credential access, cloud scanning, command-and-control traffic, and lateral movement.

Security teams should monitor for:

  • Execution of suspicious bootstrap shell scripts
  • Unexpected Python installation on servers or containers
  • Suspicious Python scripts created in unusual directories
  • Python processes scanning cloud ports
  • Connections to Telegram APIs from cloud workloads
  • Unusual outbound traffic from containers
  • Scanning activity against Docker, Kubernetes, Redis, MongoDB, or RayML
  • Access attempts to cloud metadata endpoints
  • Access to Kubernetes service account tokens
  • Access to Docker socket or Docker configuration files
  • Access to environment files
  • Access to SSH keys
  • Access to cloud credential files
  • Unexpected Redis or MongoDB enumeration
  • Unusual Kubernetes API calls
  • New or modified persistence artifacts
  • Removal of known competing malware files or processes
  • Cloud API activity from unusual IP addresses
  • New cloud resources created by unknown identities
  • High-volume authentication failures against exposed services

Security teams should correlate logs from:

  • Cloud audit platforms
  • Kubernetes audit logs
  • Docker daemon logs
  • Container runtime telemetry
  • EDR and workload protection tools
  • SIEM platforms
  • Network detection and response tools
  • Firewall logs
  • DNS logs
  • Proxy logs
  • Redis logs
  • MongoDB logs
  • SSH logs
  • CI/CD logs
  • Secrets management platforms

Detection should focus on behavior, not only file names.

Attackers can rename scripts.

But they still need to scan, access credentials, communicate with command-and-control infrastructure, move laterally, and exfiltrate data.

Those behaviors are detectable when cloud telemetry is mature.

The Role of Incident Response Planning

PCPJack reinforces the need for cloud-specific incident response planning.

A normal server cleanup process is not enough.

If cloud credentials were stolen, attackers may retain access even after the original host is rebuilt.

A strong response plan should include:

  • Immediate containment of compromised workloads
  • Isolation of exposed services
  • Preservation of logs and forensic evidence
  • Identification of all secrets accessible from the host
  • Rotation of cloud credentials
  • Rotation of Kubernetes secrets
  • Rotation of Docker registry credentials
  • Rotation of database passwords
  • Review of cloud control plane activity
  • Review of Kubernetes audit activity
  • Review of new or modified resources
  • Review of IAM policy changes
  • Review of service account abuse
  • Hunt for lateral movement
  • Hunt for additional infected hosts
  • Validation that persistence has been removed
  • Communication with legal, compliance, and executive teams if sensitive data was exposed

Incident responders should ask:

  • Which host was compromised?
  • Which vulnerability was exploited?
  • Which credentials were accessible?
  • Was the metadata service reachable?
  • Were Kubernetes tokens present?
  • Was Docker accessible?
  • Were Redis or MongoDB credentials stored locally?
  • Was Telegram command-and-control contacted?
  • Were credentials exfiltrated?
  • Did the malware scan internal or external targets?
  • Did it spread to other hosts?
  • Were cloud resources created or modified?
  • Were secrets used after exfiltration?

The answers determine whether the incident is isolated or cloud-wide.

The Role of Penetration Testing

Penetration testing is essential for understanding whether PCPJack-style attacks could succeed in a real environment.

A basic vulnerability scan is not enough.

Organizations need cloud-focused penetration testing that evaluates exposure, credential access, lateral movement, and control plane impact.

A strong assessment can evaluate:

  • Exposed Docker APIs
  • Exposed Kubernetes APIs
  • Exposed Redis instances
  • Exposed MongoDB instances
  • Exposed RayML services
  • Vulnerable web applications
  • Known CVE exposure
  • Weak cloud metadata protections
  • Kubernetes service account permissions
  • Docker socket exposure
  • Secrets stored in environment variables
  • Credentials stored in configuration files
  • Excessive IAM permissions
  • Weak network segmentation
  • Unrestricted outbound traffic
  • Lack of egress filtering
  • Cloud logging gaps
  • Detection for credential access
  • Detection for internal scanning
  • Incident response readiness

A red team exercise can safely simulate the PCPJack attack path:

  • Identify exposed cloud services
  • Validate whether known CVEs are exploitable
  • Test whether secrets can be accessed from workloads
  • Attempt controlled metadata service access
  • Test Kubernetes token exposure
  • Simulate scanning behavior
  • Simulate safe exfiltration indicators
  • Measure SOC detection and response
  • Validate credential rotation workflows

This helps answer the business-critical question:

If one cloud workload is compromised, how far can the attacker go?

Penetration testing should not stop at the first shell.

It should test the full chain from initial exposure to credential theft, lateral movement, cloud control plane access, and containment.

Protection and Mitigation Measures

Organizations should take a layered approach to reduce PCPJack-style risk.

Patch Known CVEs

Prioritize remediation for CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703 where applicable.

Known exploited vulnerabilities should be treated as urgent.

Reduce Internet Exposure

Docker, Kubernetes, Redis, MongoDB, and RayML should not be publicly exposed unless there is a strict business requirement and strong controls.

Enforce Strong Authentication

All cloud and container services should require strong authentication.

Unauthenticated or weakly authenticated services are high-risk.

Protect Metadata Services

Restrict access to cloud metadata services.

Use stronger metadata protections where applicable and enforce network controls to prevent unnecessary metadata access.

Apply Least Privilege

Cloud IAM roles, Kubernetes service accounts, and database users should have only the permissions required.

Overprivileged credentials increase blast radius.

Rotate Secrets Regularly

Credential rotation reduces the value of stolen secrets.

Rotate immediately after suspected compromise.

Improve Egress Filtering

Restrict outbound traffic from workloads.

Servers and containers should not be able to communicate freely with arbitrary external services.

Monitor Telegram Traffic

Investigate unexpected Telegram API communication from cloud workloads.

Legitimate servers rarely need to communicate with Telegram.

Harden Kubernetes

Limit service account token mounting, enable audit logging, enforce RBAC, restrict privileged pods, and monitor API activity.

Harden Docker

Protect the Docker socket, restrict daemon access, and monitor container creation and image pulls.

Secure Databases

Redis and MongoDB should be private, authenticated, encrypted where appropriate, and monitored for unusual access.

Use Cloud Workload Protection

Deploy runtime security tools that detect suspicious process behavior, credential access, scanning, and unauthorized network connections.

Conduct Regular Cloud Security Testing

Use penetration testing, cloud security testing, vulnerability assessment, and incident response exercises to validate real exposure.

Key Takeaway

PCPJack shows how credential theft has evolved for the cloud era.

By exploiting five CVEs, targeting Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, and using modular Python payloads to steal secrets and spread across infrastructure, PCPJack turns exposed cloud services into credential harvesting platforms.

This is not only a malware problem.

It is an exposure management problem.

Organizations must patch known vulnerabilities, reduce internet-facing cloud services, harden Kubernetes and Docker, protect metadata endpoints, rotate secrets after suspected compromise, monitor Telegram-based command and control, and test real-world attack paths through penetration testing.

The most important lesson is simple:

Cloud credentials are the prize.

If attackers steal them, the breach may continue long after the original malware is removed.

Contact Us Now to Prepare
for Digital Warfare


      • info@digitalwarfare.com

      • +1 757-900-9968

Share
Copyright © Digital Warfare. All rights reserved.
  • Home
  • About
  • Locations