Executive Summary
In May 2026, a new malware framework named PCPJack was discovered targeting exposed cloud infrastructures, including services like Docker, Kubernetes, Redis, MongoDB, and RayML. The malware infiltrates Linux-based cloud systems via a shell script, establishes persistence, and orchestrates credential theft at scale. Notably, PCPJack actively removes existing infections from the TeamPCP group, a known threat actor responsible for previous high-profile supply-chain breaches. This suggests that PCPJack may have been developed by a former TeamPCP affiliate or member who started their own operation.
The emergence of PCPJack highlights the evolving landscape of cyber threats, where malware not only seeks to exploit systems but also competes with other malicious actors for control. This trend underscores the need for organizations to implement robust security measures, including multi-factor authentication, proper service authentication, and adherence to the principle of least privilege, to protect against such sophisticated attacks.
Why This Matters Now
The emergence of PCPJack underscores the escalating sophistication of cyber threats, where malware not only exploits systems but also competes with other malicious actors for control. This trend highlights the urgent need for organizations to implement robust security measures, including multi-factor authentication, proper service authentication, and adherence to the principle of least privilege, to protect against such advanced attacks.
Attack Path Analysis
The PCPJack worm exploited vulnerabilities in exposed cloud services to gain initial access, escalated privileges by deploying malicious scripts, moved laterally by harvesting credentials and propagating across internal networks, established command and control through encrypted channels, exfiltrated stolen credentials to external servers, and impacted systems by removing competing malware and maintaining persistence.
Kill Chain Progression
Initial Compromise
Description
The PCPJack worm exploited vulnerabilities in exposed cloud services such as Docker, Kubernetes, Redis, MongoDB, and RayML to gain unauthorized access.
Related CVEs
CVE-2025-29927
CVSS 9.1An authorization bypass vulnerability in Next.js middleware allows remote attackers to access restricted resources without proper authentication.
Affected Products:
Vercel Next.js – < 12.3.5, < 13.5.9, < 14.2.25, < 15.2.3
Exploit Status:
exploited in the wildCVE-2025-55182
CVSS 10A pre-authentication remote code execution vulnerability in React Server Components allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests.
Affected Products:
Meta React Server Components – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Exploitation of Remote Services
Application Layer Protocol: Web Protocols
Unsecured Credentials: Credentials in Files
Remote Services: SSH
Scheduled Task/Job: Cron
Impair Defenses: Disable or Modify Tools
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
High risk from PCPJack credential theft targeting Docker, Kubernetes, and cloud infrastructure. React2Shell and Next.js vulnerabilities expose development environments to automated exploitation.
Information Technology/IT
Critical exposure through compromised cloud services, SSH keys, and infrastructure management tools. Lateral movement capabilities threaten multi-cloud environments and system administration credentials.
Financial Services
Significant risk from stolen financial service credentials and API keys. PCPJack's monetization through financial fraud directly targets banking and payment processing systems.
Computer/Network Security
Paradoxical vulnerability where security tools become targets. Worm actively removes TeamPCP infections while establishing new persistence mechanisms, complicating incident response efforts.
Sources
- New PCPJack worm steals credentials, cleans TeamPCP infectionshttps://www.bleepingcomputer.com/news/security/new-pcpjack-worm-steals-credentials-cleans-teampcp-infections/Verified
- Hackers hack victims hacked by other hackershttps://techcrunch.com/2026/05/07/hackers-hack-victims-hacked-by-other-hackers/Verified
- CVE-2025-55182 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-55182Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to the PCPJack worm incident as it would likely constrain the worm's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, exfiltrate data, and maintain persistence within cloud environments.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing Aviatrix CNSF would likely limit the worm's ability to exploit vulnerabilities in exposed cloud services by enforcing strict access controls and reducing the attack surface.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely constrain the worm's ability to escalate privileges by enforcing least-privilege access and segmenting workloads to limit unauthorized interactions.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the worm's ability to move laterally by monitoring and controlling internal traffic flows, thereby reducing unauthorized propagation.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely constrain the worm's command and control capabilities by providing real-time monitoring and control over encrypted outbound communications.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the worm's ability to exfiltrate data by enforcing strict egress policies and monitoring outbound traffic.
Aviatrix Zero Trust CNSF would likely reduce the worm's ability to maintain persistence and remove competing malware by enforcing strict access controls and continuous monitoring.
Impact at a Glance
Affected Business Functions
- Cloud Infrastructure Management
- Data Storage and Management
- Application Deployment
- Network Security
Estimated downtime: 7 days
Estimated loss: $500,000
Compromised credentials for cloud services, databases, and internal applications, potentially leading to unauthorized access and data breaches.
Recommended Actions
Key Takeaways & Next Steps
- • Implement East-West Traffic Security to monitor and control lateral movement within the network.
- • Enforce Zero Trust Segmentation to limit access and reduce the attack surface.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Apply Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Deploy Threat Detection & Anomaly Response systems to identify and mitigate malicious activities promptly.
