#credentialtheft

Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said in a report.

The Target: Cloud Infrastructure at Scale

PCPJack is specifically designed to target cloud services like:

- Docker: Container orchestration platforms - Kubernetes: Cluster management systems - Redis: In-memory data stores - MongoDB: NoSQL databases - RayML: Machine learning frameworks - Vulnerable web applications: Exposed admin panels and APIs

This targeting allows the operators to spread in a worm-like fashion and move laterally within compromised networks.

The Endgame: Credential Monetization

It's assessed that the end goal of the cloud attack campaign is to generate illicit revenue for the threat actors through:

- Credential theft: Selling access to compromised cloud accounts - Fraud: Using stolen credentials for financial scams - Spam: Leveraging compromised infrastructure for mass mailing - Extortion: Ransoming access or threatening data leaks - Resale: Selling stolen access on dark web markets

What makes this activity notable is that it lacks a cryptocurrency mining component, unlike TeamPCP. While it's not known why this obvious monetization strategy was not adopted, the similarities between the two clusters indicate that PCPJack could be the work of a former member of TeamPCP who is familiar with the group's tradecraft.

The Attack Chain: Six Python Payloads

The starting point of the attack is a bootstrap shell script that prepares the environment, downloads next-stage tooling, and simultaneously takes steps to infect its own infrastructure, terminate TeamPCP artifacts, install Python, establish persistence, download six Python scripts, launch the orchestration script, and remove itself.

The six Python payloads are:

1. worm.py (monitor.py)

The main orchestrator that:

- Launches purpose-built modules - Conducts local credential theft - Propagates the toolset to other hosts by exploiting known flaws (CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703) - Uses Telegram for command-and-control (C2) 2. parser.py (utils.py)

Handles credential extraction to categorize stolen keys and secrets.

3. lateral.py (_lat.py)

Facilitates reconnaissance, harvests secrets, and enables lateral movement across:

- SSH - Kubernetes - Docker - Redis - RayML - MongoDB 4. crypto_util.py (_cu.py)

Encrypts credentials before exfiltration to the attacker's Telegram channel.

5. cloud_ranges.py (_cr.py)

Collects IP address ranges assigned to:

- Amazon Web Services (AWS) - Google Cloud - Microsoft Azure - Cloudflare - Cloudfront - Fastly

The data is refreshed every 24 hours to maintain an up-to-date target list.

6. cloud_scan.py (_csc.py)

Runs cloud port scanning for external propagation via Docker, Kubernetes, MongoDB, RayML, or Redis services.

The Data Source: Common Crawl

Propagation targets for the orchestrator script come from parquet files that the worm pulls directly from Common Crawl, a non-profit that crawls the web and provides its archives and datasets to the public at no extra cost.

This is a brilliant (and sinister) innovation: instead of scanning randomly, the worm uses pre-indexed internet-wide scan data to find exposed cloud infrastructure efficiently.

The TeamPCP Connection: A Splinter Group?

What makes PCPJack particularly interesting is its relationship with TeamPCP, a threat actor that rose to prominence late last year by exploiting known security vulnerabilities and misconfigurations in cloud services.

Key observations:

- Significant targeting overlaps: Same cloud services, same vulnerabilities - Active eviction: PCPJack removes TeamPCP artifacts from compromised environments - "PCP replaced" metrics: The operator tracks whether TeamPCP has been evicted and reports this to C2 - No cryptocurrency mining: Unlike TeamPCP, PCPJack doesn't deploy miners - Well-defined crypto credential scopes: Despite no mining, the worm specifically targets cryptocurrency-related credentials

SentinelOne notes: "When exfiltrating system information and credentials, the PCPJack operator even collects success metrics on whether TeamPCP has been evicted from targeted environments in a 'PCP replaced' field sent to the C2. This implies a direct focus on the threat actor's activities rather than pure cloud attack opportunism."

The assessment: PCPJack could be the work of a former member of TeamPCP who is familiar with the group's tradecraft and is now competing directly with their former associates.

Additional Infrastructure: Sliver C2 Framework

Further analysis has uncovered another shell script ("check.sh") that:

- Detects the CPU architecture - Fetches the appropriate Sliver binary (an open-source C2 framework) - Scans Instance Metadata Service (IMDS) endpoints - Scans Kubernetes service accounts - Scans Docker instances for credentials

Targeted credentials include those associated with:

- Anthropic - Digital Ocean - Discord - Google API - Grafana Cloud - HashiCorp Vault - OnePassword - OpenAI

These credentials are transmitted to an external server for monetization.

Reflection: The Industrialization of Cloud Crime

1. The Worm-Like Propagation Model

PCPJack represents the evolution of cloud attacks from "manual intrusion" to "automated epidemic." By exploiting known CVEs and using Common Crawl data for target selection, the worm can spread exponentially without human intervention.

This is the cloud equivalent of the Mirai botnet—but instead of IoT cameras, it's infecting cloud infrastructure. The implications are staggering:

- Speed: Thousands of systems can be compromised in hours - Scale: No manual effort required per victim - Resilience: Decentralized, worm-like spread makes takedown difficult 2. The Common Crawl Weaponization

Using Common Crawl for target selection is ingenious. Common Crawl provides:

- Comprehensive coverage: Billions of web pages indexed - Free access: No cost to the attacker - Regular updates: Fresh data constantly available - Legitimacy: It's a respected research resource, not a hacker tool

This turns a public good into a weapon. The attackers don't need to scan the internet themselves (which would be slow and noisy). They just download the pre-scanned data and attack the exposed services.

3. The Gang Civil War

The PCPJack vs. TeamPCP dynamic suggests a cybercriminal civil war. A former member (or faction) has split off and is now actively evicting their former associates from compromised infrastructure.

This is unprecedented in cloud crime. We've seen ransomware gangs compete, but not actively evict each other from victims. The "PCP replaced" metric sent to C2 implies:

- Territorial disputes: Cloud infrastructure as "turf" - Scorekeeping: Tracking eviction success as a metric - Resource competition: Fighting over the same victim pool

For defenders, this is both good and bad news:

- Good: Attackers are distracted by infighting - Bad: The competition drives innovation in attack techniques 4. The Telegram C2 Standard

PCPJack uses Telegram for command-and-control, continuing a trend we've seen across multiple campaigns. Telegram offers:

- Legitimate traffic: Telegram API calls blend with normal usage - Encryption: Built-in TLS makes inspection difficult - Resilience: Hard to take down (decentralized infrastructure) - Ease of use: Simple bot API for C2 commands

For security teams, blocking Telegram is not feasible (it's a legitimate communication platform). This means behavioral detection is the only option.

5. The Absence of Mining

PCPJack's lack of cryptocurrency mining is puzzling. Cryptojacking is:

- Easy to deploy: Miners are readily available - Passive income: Earns money without additional victim interaction - Low risk: Mining itself isn't illegal (using stolen compute is, but hard to trace)

The fact that PCPJack avoids mining but specifically targets cryptocurrency credentials suggests:

- Higher-value targets: Stealing crypto wallets is more profitable than mining - Operational security: Mining creates noticeable CPU load, increasing detection risk - Specialization: The operators focus on credential theft, leaving mining to others

Lessons for Cloud Security Teams

1. Assume Exposure

If your cloud infrastructure is internet-accessible, it's on Common Crawl. If it's on Common Crawl, PCPJack (or something like it) will find it. The question is not if you'll be scanned, but when.

2. Patch the Five CVEs

PCPJack exploits five known vulnerabilities:

- CVE-2025-55182 - CVE-2025-29927 - CVE-2026-1357 - CVE-2025-9501 - CVE-2025-48703

If you haven't patched these, you're low-hanging fruit.

3. Segment and Isolate

Cloud services should never be directly internet-accessible unless absolutely necessary:

- Use VPCs and private subnets - Implement strict security groups - Require authentication for all services (even Redis, MongoDB) - Use bastion hosts for administrative access 4. Monitor for Worm Behavior

Watch for:

- Unexpected outbound connections to Telegram APIs - Rapid scanning activity from cloud instances - Python processes spawning in containers - Unknown scripts in /tmp or /var/tmp - Credential files being accessed en masse 5. Rotate Cloud Credentials

If you suspect compromise:

- Rotate all API keys and access tokens - Revoke and reissue service account credentials - Audit IAM policies for unauthorized changes - Check for unknown enrolled devices or services

Conclusion

PCPJack represents the industrialization of cloud credential theft. It's not a targeted intrusion—it's a cloud epidemic, spreading automatically across exposed infrastructure, evicting competitors, and harvesting credentials at scale.

The use of Common Crawl for target selection, Telegram for C2, and a modular Python architecture shows a level of sophistication that belies the "script kiddie" stereotype of cloud attackers. This is professional-grade cybercrime, optimized for scale and efficiency.

The Iranian state-sponsored hacking group known as MuddyWater (also referred to as Mango Sandstorm, Seedworm, and Static Kitten) has been linked to a sophisticated ransomware attack that was designed as a "false flag" operation. In a stunning display of social engineering, the group leveraged Microsoft Teams to infiltrate targets and steal credentials, all while masquerading as a financially motivated cybercriminal group.

The Anatomy of a False Flag

The attack, observed by Rapid7 in early 2026, initially appeared to be the work of a Ransomware-as-a-Service (RaaS) group operating under the brand Chaos. Chaos is known for a "quadruple extortion" model: encrypting files, stealing data, threatening DDoS attacks, and contacting the victim's customers or competitors.

However, the reality was far more strategic. Evidence points to a state-backed operation that used the Chaos brand as a layer of cover. This "false flag" approach serves two primary purposes:

- Obfuscation: By using the tools and personas of cybercriminals, MuddyWater muddies the attribution process, making it harder for defenders to realize they are facing a nation-state adversary. - Diversion: The threat of ransomware focuses the victim's attention on immediate financial impact and data recovery, potentially delaying the discovery of deep-seated persistence mechanisms.

The Attack Chain: Social Engineering via Microsoft Teams

Unlike traditional ransomware that might start with a phishing email, this campaign utilized a "high-touch" social engineering phase conducted entirely through Microsoft Teams.

Phase 1: The Infiltration

Attackers initiated external chat requests via Teams to engage employees. They used interactive screen-sharing sessions to build trust and manipulate users into:

- Harvesting credentials in real-time - Manipulating multi-factor authentication (MFA) prompts to gain unauthorized access - Tricking users into installing remote management tools like AnyDesk and Microsoft Quick Assist Phase 2: Persistence and Reconnaissance

Once inside, the group bypassed traditional ransomware workflows. Instead of immediately encrypting files, they focused on:

- Data Exfiltration: Stealing sensitive information before any alert was triggered - Deep Persistence: Deploying remote management tools like DWAgent to maintain access regardless of password changes - Internal Recon: Executing discovery commands and accessing VPN configuration files to map the internal network Phase 3: The Payload

The group deployed a multi-stage infection chain. A binary called ms_upd.exe (aka Stagecomp) collected system info and dropped further payloads, including game.exe (aka Darkcomp)—a bespoke RAT that masquerades as a legitimate Microsoft WebView2 application.

The MuddyWater Signature

The link to MuddyWater was cemented through the use of a specific code-signing certificate attributed to "Donald Gay." This certificate has been a hallmark of the group, used previously to sign malware like the CastleLoader downloader.

This campaign is part of a broader trend where MuddyWater is increasingly relying on "off-the-shelf" cybercrime tools (like CastleRAT and Tsundere) to further blur the lines between state espionage and criminal activity.

Why This Matters: The Convergence of State and Crime

This operation highlights a dangerous shift in the threat landscape: the convergence of state-sponsored intrusion and cybercriminal tradecraft.

1. Plausible Deniability

By participating in RaaS affiliate programs (like Qilin or Chaos), state actors gain a layer of plausible deniability. If an attack is discovered, the "criminal" brand takes the blame, while the state actor achieves its strategic intelligence objectives.

2. Operational Flexibility

Using criminal toolkits allows state actors to avoid the "signature" of their own custom malware, which is often tracked by top-tier security firms. It gives them a library of diverse, effective tools without the need for internal development investment.

3. The Psychological Game

Ransomware creates a sense of urgency and panic. By mimicking a ransomware attack, MuddyWater can force a victim to make quick, potentially flawed decisions, which the attackers then exploit to deepen their access.

Reflection: The Erosion of Trust in Collaboration Tools

The use of Microsoft Teams as the primary entry point is a wake-up call for the modern enterprise.

1. The "Trusted Channel" Fallacy

We have moved from distrusting emails to trusting "collaboration platforms." Many employees assume that if someone can message them on Teams or Slack, they are already "inside" the organization or are a verified partner. Attackers are exploiting this implicit trust.

2. Screen-Sharing as a Weapon

Interactive screen-sharing is an incredibly powerful tool for social engineering. It allows the attacker to guide the victim step-by-step, effectively "holding their hand" through the process of compromising their own system. It bypasses technical controls by manipulating the human operator.

3. MFA is Not a Silver Bullet

The fact that MuddyWater successfully manipulated MFA prompts via Teams shows that MFA is a hurdle, not a wall. Session hijacking and MFA fatigue/manipulation are now standard parts of the state-sponsored playbook.

Lessons for Security Teams

1. Harden Collaboration Platforms

Collaboration tools are no longer just for chatting; they are attack vectors. Organizations should:

- Restrict external chat requests to trusted domains only - Disable or strictly monitor the use of remote assistance tools (Quick Assist, AnyDesk) within the corporate environment - Train users to be skeptical of "IT Support" requests that originate from external chat channels 2. Focus on Behavioral Detection

Since attackers are using legitimate tools (DWAgent, AnyDesk, WebView2), signature-based detection will fail. Teams must shift to behavioral monitoring:

- Alert on unusual remote management tool installations - Monitor for unexpected data exfiltration to unknown cloud endpoints - Detect "impossible travel" or anomalous login patterns that suggest compromised accounts 3. Assume the "False Flag"

When a ransomware event occurs, do not assume it is purely financial. Investigate whether the "ransomware" is a cover for something deeper. Look for evidence of long-term persistence (RATs, backdoors) that precedes the ransomware deployment.

Conclusion

MuddyWater's use of the Chaos brand is a masterclass in tactical deception. By blending into the noise of the cybercrime underground, they've turned a loud, disruptive attack (ransomware) into a quiet, effective tool for state espionage.