In an unusual turn for the cybersecurity landscape, a mysterious group of hackers is systematically targeting systems already compromised by the prolific cybercrime collective known as TeamPCP. According to a new report from SentinelOne, these attackers are actively evicting TeamPCP members from hijacked infrastructure and purging their malicious tools to claim the systems for themselves.
The ‘PCPJack’ Operation: A Digital Hostile Takeover
Dubbed “PCPJack” by SentinelOne senior researcher Alex Delamotte, this campaign functions as a self-spreading worm within cloud environments. Once the attackers breach a system, they remove existing TeamPCP malware, deploy their own replication code, and begin exfiltrating sensitive credentials back to their own private infrastructure.
TeamPCP has recently dominated security headlines due to high-profile breaches, including the compromise of European Commission cloud infrastructure and the widely used Trivvy vulnerability scanner. The latter attack impacted numerous entities, including AI recruiting startup Mercor and LiteLLM.
Who is Behind the PCPJack Attacks?
The identity of the group behind PCPJack remains unconfirmed. Delamotte outlines three primary theories regarding the perpetrators:
- Disgruntled former members of TeamPCP seeking retribution or control.
- A rival cybercrime organization looking to seize established victim networks.
- A third party that has meticulously modeled its attack architecture after TeamPCP’s previous campaigns.
SentinelOne notes that the targets of PCPJack closely mirror those hit by TeamPCP during the December-January period, prior to internal group shifts observed between February and March.
Operational Tactics and Financial Motivations
While the primary focus is the eviction of TeamPCP, the attackers are also scanning the broader internet for exposed services, including MongoDB databases and Docker virtual machine platforms. The operation is clearly profit-driven, with the hackers utilizing the stolen data in several ways:
- Initial Access Brokering: Reselling access to compromised machines to other cybercriminals.
- Credential Theft: Directly monetizing stolen login data.
- Extortion: Pressuring victims for direct payouts.
Interestingly, the group has avoided cryptocurrency mining, a tactic often used by other hackers, likely due to the time-intensive nature of that revenue stream. Instead, they are utilizing phishing tactics, including fake help desk websites and domains designed to harvest credentials from popular password managers.
The attackers even maintain a digital tally of their successful “evictions,” sending real-time statistics back to their command-and-control infrastructure to track the scale of their takeover campaign.