Answer Brief
Security researchers have identified a new cloud-native malware framework, PCPJack, which specializes in credential theft across Docker, Kubernetes, and Redis environments. Uniquely, the framework actively removes tools associated with the TeamPCP (PCPcat) threat group, suggesting a possible internal rift or turf war over compromised cloud assets.
Executive Summary: Security researchers have identified a new cloud-native malware framework, PCPJack, which specializes in credential theft across Docker, Kubernetes, and Redis environments. Uniquely, the framework actively removes tools associated with the TeamPCP (PCPcat) threat group, suggesting a possible internal rift or turf war over compromised cloud assets.
Why It Matters
The emergence of PCPJack represents a sophisticated shift in cloud-native threats where adversaries are no longer just fighting defenders, but each other. By specifically targeting and 'cleaning' the infrastructure of the TeamPCP (PCPcat) group, the operators of PCPJack—suspected by SentinelOne to be former members of TeamPCP—are effectively hijacking existing compromise vectors for their own use. This 'inter-threat' conflict highlights the value of compromised cloud access. Unlike typical cloud malware that prioritizes cryptojacking, PCPJack focuses exclusively on high-value credential harvesting from Docker, Kubernetes, Redis, and MongoDB. Its wormable nature allows it to spread laterally through dev-ops and production environments, posing a significant risk to identity security and data integrity. For global security teams, this signal from East Asia indicates that cloud infrastructure remains a primary battlefield for credential-based attacks, and the removal of one threat actor's tools may simply signal the arrival of a more aggressive competitor rather than a successful remediation.
Event Type: security
Importance: high
Affected Companies
- Aqua Security
- Docker
- Kubernetes
- MongoDB
- Redis
- SentinelOne
Affected Sectors
- Cloud Computing
- Critical Infrastructure
- Cybersecurity
- Financial Services
Key Numbers
- Observed Vulnerable Services: 5+
- Discovery Date: 2026-04-28
Timeline
- TeamPCP conducts 'Operation PCPcat' targeting cloud environments.
- TeamPCP infiltrates Aqua Security's Trivy vulnerability scanner in a supply chain attack.
- SentinelOne identifies script for the PCPJack malware framework.
- Detailed analysis published regarding PCPJack's eviction of TeamPCP tools.