PCPJack Credential Stealer Uses 5 CVEs to Spread Worm-Like in Cloud

Cybersecurity researchers have uncovered a new credential‑stealing framework called PCPJack that aggressively targets exposed cloud infrastructure and propagates in a worm‑like fashion. The tool exploits a set of five known vulnerabilities, including CVE‑2022‑22965 (Spring4Shell), CVE‑2023‑22515 (Atlassian Crowd), CVE‑2023‑42847 (Kubernetes API server), CVE‑2023‑38035 (QEMU), and CVE‑2024‑21762 (FortiGate), to gain initial foothold on public‑facing workloads. Once inside, it installs a lightweight implant that harvests IAM tokens, SSH keys, container registry credentials, and metadata service tokens, then actively removes any artifacts linked to the previous TeamPCP campaign to avoid attribution and detection.

The infection chain follows a classic worm pattern: after compromising a single instance, PCPJack scans the surrounding network for additional vulnerable hosts using the same CVEs, automatically deploying the exploit payloads via scheduled tasks and remote API calls. It also manipulates cloud provider metadata services to obtain short‑lived credentials, enabling lateral movement across multiple accounts and regions without triggering rate‑limit alerts. By clearing logs and deleting TeamPCP‑related files, the malware erases forensic evidence, making incident reconstruction challenging for security teams.

Organizations leveraging cloud environments are urged to prioritize patching the five CVEs, enforce multi‑factor authentication on all privileged accounts, and limit exposure of management interfaces to the internet. Continuous monitoring for anomalous API activity, unexpected container image pulls, or unauthorized SSH key creation can help detect PCPJack’s propagation early. Additionally, employing least‑privilege IAM policies, network segmentation, and runtime protection solutions will reduce the blast radius of future credential‑stealing worms.