PCPJack Worm Cleans TeamPCP, Steals AWS Cloud Credentials

Security researchers have identified a new self‑propagating threat, named PCPJack, that behaves like a worm while simultaneously purging systems infected by the earlier TeamPCP malware. Once aboard a host, PCPJack terminates TeamPCP processes, removes associated persistence mechanisms, and then pivots to a credential‑harvesting routine that targets both user accounts and machine identities.

The worm is engineered to exploit misconfigured web services and cloud interfaces, scanning for open Docker APIs, unsecured Kubernetes etcd endpoints, and AWS IAM role credentials. It leverages stolen SSH keys and API tokens to spread laterally across container clusters and virtual machines, using a lightweight command‑and‑control (C2) channel to exfiltrate harvested secrets. In addition, PCPJack injects a lightweight hooking module into authentication pipelines to capture plaintext passwords and multi‑factor authentication tokens before they are validated.

The implications of a successful PCPJack infection are severe: attackers gain unrestricted access to cloud workloads, can pivot to internal services, and may exfiltrate sensitive data stored in S3 buckets, container registries, and internal databases. Observed indicators of compromise include unusual outbound traffic on ports 4444 and 8080, unexpected modifications to Docker socket permissions, and the presence of a binary named pcpjack.dll in system directories. Security teams have also noted that the worm replaces legitimate TeamPCP binaries, effectively erasing forensic evidence of the prior infection.

Organisations are advised to enforce least‑privilege access, rotate all credentials and API keys immediately, and enable multi‑factor authentication across all user and service accounts. Continuous monitoring for anomalous API calls, unexpected container spawns, and irregular C2 traffic will aid early detection. Patching misconfigurations in Docker, Kubernetes, and cloud IAM settings, along with deploying runtime security tools, can mitigate the worm’s propagation vector and limit the blast radius of future credential theft campaigns.