PCPJack Worm Targets Cloud Infrastructure, Removes TeamPCP Infections

Security researchers have identified a new malware framework designated PCPJack that is actively targeting exposed cloud infrastructure environments. The threat operates as a credential-harvesting worm capable of spreading across cloud workloads while simultaneously removing competing malware infections. According to findings published by BleepingComputer, PCPJack demonstrates sophisticated techniques for persistence in cloud environments, including scheduled tasks and registry modifications that allow it to maintain access even after system reboots.

The malware's primary functionality centers on credential exfiltration from cloud service APIs, container orchestration platforms, and SSH key storage locations. PCPJack specifically targets configuration files for major cloud providers including AWS, Azure, and Google Cloud Platform, harvesting access keys and authentication tokens. The threat leverages stolen credentials to propagate laterally through cloud infrastructure, establishing command-and-control communications through encrypted channels to exfiltrate sensitive data.

Notably, PCPJack includes a striking feature that actively disinfects systems infected by TeamPCP, another credential-stealing malware family. The worm searches for TeamPCP file artifacts, terminates related processes, and removes persistence mechanisms established by the rival malware. This suggests the threat actors behind PCPJack may be consolidating control over compromised cloud environments by eliminating competition, or potentially harvesting TeamPCP's previously stolen credentials for their own operations.

Organizations with exposed cloud infrastructure are advised to audit access credentials, implement multi-factor authentication, and review API permissions immediately. Security teams should search for indicators of compromise including unusual scheduled tasks, unexpected outbound connections from cloud workloads, and monitor for the presence of TeamPCP artifacts which PCPJack may have recently removed. The emergence of this malware highlights the evolving sophistication of threats targeting cloud environments and the importance of continuous credential rotation and monitoring.