A highly unusual cyber campaign has emerged where an unknown group of hackers is actively targeting systems previously compromised by a different, prolific cybercrime organization known as TeamPCP. Dubbed “PCPJack” by cybersecurity researchers, this new threat actor effectively takes over control of already-breached networks, evicting TeamPCP’s presence and deploying its own malicious tools.

According to an updated analysis by cybersecurity firm SentinelOne, once PCPJack gains access, its first action is to remove TeamPCP’s access and eradicate their malware. Following this hostile takeover, PCPJack then deploys sophisticated code designed to replicate across various cloud infrastructures, behaving like a self-spreading worm. The primary objective is to steal a wide array of credentials, which are then exfiltrated back to PCPJack’s command-and-control infrastructure.

TeamPCP has garnered significant attention in recent weeks due to a series of high-profile cyberattacks attributed to the group. These incidents include a breach of the European Commission’s cloud infrastructure and a widespread cyberattack against Trivvy, a widely used vulnerability scanner. The compromise of Trivvy subsequently affected numerous enterprises relying on the tool, such as LiteLLM and AI recruiting startup Mercor, among others.

The identity behind PCPJack remains a mystery, as noted by SentinelOne senior researcher Alex Delamotte. Theories suggest the group could be disgruntled former TeamPCP members, a rival cybercrime syndicate, or an entirely separate entity that has modeled its attack tools and strategies on TeamPCP’s earlier campaigns, particularly those focused on cloud infrastructure. While PCPJack does scan the internet for other exposed services like Docker virtual machine platforms and MongoDB databases, SentinelOne’s findings indicate a predominant focus on systems previously compromised by TeamPCP. The group’s motivations appear to be purely financial, centered on monetizing stolen credentials through resale, offering access to hacked systems as initial access brokers, or directly extorting victims. Notably, PCPJack avoids installing crypto-mining software, likely due to the longer timeframes required to yield significant returns from such activities. Furthermore, their attacks have involved using deceptive domains for phishing password manager credentials and creating fake help desk websites.