PCPJack Worm Erases TeamPCP Malware, Hijacks Cloud Instances for Credential Harvesting

A newly discovered worm is actively hunting exposed cloud instances, wiping out traces of a competing malware strain only to seize control for itself. Security researchers at SentinelOne's SentinelLabs have dubbed the malicious framework "PCPJack" for its predatory habit of stealing previously compromised systems from TeamPCP operators. The worm first surfaced in late April, hidden within a Kubernetes-focused VirusTotal hunting rule, and immediately stood out for its unusual opening move: systematically eliminating all tools associated with TeamPCP attacks before establishing its own foothold.

The behavior initially suggested a possible white-hat cleanup operation. SentinelLabs researchers noted they "initially considered that this toolset could be a researcher removing TeamPCP's infections." That theory collapsed under closer examination of the later-stage payloads, which revealed a comprehensive framework built specifically for cloud credential harvesting. PCPJack isn't sanitizing compromised systems—it's poaching them. The worm represents a calculated effort to displace one threat actor and replace it with another, turning already-vulnerable cloud infrastructure into a fresh attack surface.

The discovery signals an evolution in cloud-targeted malware: threat actors are now competing directly for control of compromised assets rather than simply exploiting them independently. Organizations running exposed cloud instances face compounded risk, as systems already weakened by TeamPCP infections may now be silently transitioned to a more sophisticated credential-harvesting operation. SentinelLabs' findings underscore the danger of assuming any malware removal is benevolent—PCPJack's cleanup routine is purely a hostile takeover, not a rescue.