A threat actor is using the PCPJack framework to remove TeamPCP artifacts from infected systems while stealing credentials and deploying its own tooling across cloud and on-premises environments. SentinelOne says the campaign can spread through vulnerable web apps, Kubernetes, Docker, Redis, RayML, MongoDB, and SSH, with ties to TeamPCP and Sliver-based activity. #TeamPCP #PCPJack #Sliver #Nextjs #React2Shell #WPVividBackup #W3TotalCache #CentOSWebPanel
Keypoints
- PCPJack removes TeamPCP tools and artifacts from infected systems.
- The framework steals credentials, tokens, SSH keys, and wallet data.
- It targets cloud services such as AWS, Kubernetes, Docker, Gmail, GitHub, and Office 365.
- It spreads through vulnerable apps and deployments, including Next.js, WordPress plugins, Redis, and MongoDB.
- SentinelOne also found a related toolset using Sliver implants and broader cloud credential theft.
Read More: https://www.securityweek.com/pcpjack-worm-removes-teampcp-infections-steals-credentials/