PCP Jack Malware Removes TeamPC Threats, Stolen Login Credentials
Cybersecurity Firm Discovers Framework Used to Remove TeamPCP Malware, Steal Credentials
A threat actor has been observed deploying a malicious framework, dubbed PCPJack, to remove malware associated with the notorious TeamPCP hacking group and steal sensitive credentials.
PCPJack can steal environment variables, SSH keys, cryptocurrency wallets, credentials, and tokens for various web apps and cloud services, such as AWS, Kubernetes, Docker, and GitHub.
Suggested Motivation and Methodology
SentinelOne suggests that the types of credentials collected by PCPJack indicate the threat actor’s primary motivation is to conduct spam campaigns and financial fraud, or to monetize stolen credentials to actors with these focuses.
The framework also attempts to use the extracted credentials to propagate across Kubernetes, Docker, Redis, RayML, and MongoDB deployments, and leverages SSH keys to execute the initial script on remote machines.
Framework Details
The PCPJack framework targets known vulnerabilities in web applications, including CVE-2025-29927 (Next.js), CVE-2025-55182 (React2Shell), CVE-2026-1357 (WPVivid Backup plugin for WordPress), CVE-2025-9501 (W3 Total Cache plugin for WordPress), and CVE-2025-48703 (CentOS Web Panel).
Operational Security Lapses
SentinelOne notes that the two toolsets are well-developed and indicate that the owner values making code as a modular framework, despite some redundancies in behavior. The occasional operational security lapses were interesting, particularly their choice to encrypt everything except for Telegram credentials and their own alleged infrastructure.
This development highlights the ongoing cat-and-mouse game between threat actors and cybersecurity firms, as well as the importance of staying vigilant in protecting against emerging threats.