PCPJack is a modular malware framework observed since late April 2026 that targets Linux systems running web applications and cloud infrastructure components such as AWS, Docker, Kubernetes, and others. It begins by removing artifacts associated with the TeamPCP hacking group, then establishes persistence and downloads multiple modules from an AWS S3 bucket. These modules enable credential harvesting, lateral movement, command-and-control communication via encrypted Telegram channels, cloud scanning, and exploitation of known vulnerabilities in web applications (including Next.js, React2Shell, WPVivid Backup, W3 Total Cache, and CentOS Web Panel). PCPJack steals a wide range of credentials and tokens from local systems and cloud services, facilitating spam, financial fraud, and extortion campaigns. The malware also attempts to propagate by leveraging stolen credentials and exploiting vulnerabilities across cloud and container environments. SentinelOne's analysis suggests the operator is knowledgeable about TeamPCP's tools and tactics.

PCPJack compromises infected systems by removing competing malware (TeamPCP), stealing sensitive credentials and tokens for cloud services and web applications, and enabling lateral movement within cloud and container environments. The stolen credentials can be used for spam campaigns, financial fraud, and extortion attacks. The malware's exploitation of multiple known vulnerabilities in popular web applications increases the risk of widespread infection and persistence. The use of encrypted Telegram channels for command-and-control complicates detection and response. There is no indication of direct data destruction or ransomware deployment, but the theft and misuse of credentials pose significant operational and financial risks.

No official patch or vendor advisory is available for PCPJack malware itself, as it is a threat actor tool rather than a software vulnerability. Mitigation should focus on applying security patches for the known exploited vulnerabilities in web applications targeted by PCPJack (CVE-2025-29927, CVE-2025-55182, CVE-2026-1357, CVE-2025-9501, CVE-2025-48703). Organizations should also audit and rotate credentials, SSH keys, and tokens used in cloud and container environments. Monitoring for unusual lateral movement and unauthorized access to cloud services is recommended. Since PCPJack removes TeamPCP infections, detection of one may indicate the presence or prior presence of the other. Incident response should include credential revocation and forensic analysis. The vendor SentinelOne provides detailed threat intelligence and detection capabilities for PCPJack. Patch status is not applicable to the malware framework itself; check vendor advisories for updates on related vulnerabilities.