THREAT OPS › Threat News › PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
<h2>Executive Summary</h2> <ul> <li>SentinelLABS has identified PCPJack, a credential theft framework that worms across exposed cloud infrastructure and removes artifacts associated with TeamPCP, a threat actor persona who claimed several high-profile supply chain intrusions throughout early 2026.</li> <li>The toolset harvests credentials from cloud, container, developer, productivity, and financ
Attributed threat actors
- TeamTNTG0139
MITRE ATT&CK techniques
Indicators of compromise
- e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6asha256
- 005587975a483876c1fa26b64b418931019be38fsha1
- 01cebc48016395e284ac76afc1816f143ee3e7b6sha1
- 0b86434ca5145636d745222f7e49c903ce6ef538sha1
- 2cd2c5268e41cdece1b0506bcda3b9eba2998119sha1
- 2fab324eb0d927846c8744dc0e217beea65138e0sha1
- 339cbf61c80f757085c5afb7304d69f323bdf87asha1
- 6060da100b5cd587131a1c11a20d6e0108604744sha1
- 848ef1f638807826586802428a7ebafdc710915csha1
- 9c7ab48c9fdbbeecdad8433529bdab38584f0e25sha1
- a20a9924d92c2b06d82b79c0fe87451c650cabecsha1
- c2dd8051d89c4efa71bd67d2df7d9b4bc3e67810sha1
- fed52a4bbac7b5b6ae4f76cab3eadd67e79227e3sha1
- CVE-2025-55182cve
- CVE-2025-29927cve
- CVE-2026-1357cve
- CVE-2025-9501cve
- CVE-2025-48703cve
- https://www.virustotal.com/gui/file/e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a/relationsurl
- https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/url
- https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreadsurl
- https://zerolabs.rubrik.com/blog/pcpcat-campaign-large-scale-exploitation-react2shell-cve-and-cloud-infrastructureurl
- https://flare.io/learn/resources/blog/teampcp-cloud-native-ransomwareurl
- https://parquet.apache.org/docs/url
- https://commoncrawl.org/url
- https://www.theblock.co/post/186132/ftx-collapse-timeline-six-days-that-rocked-the-crypto-industryurl
- https://securitylabs.datadoghq.com/articles/redisraider-weaponizing-misconfigured-redis/url
- https://cdn.cloudfront-js.com:8443/uurl
- 38.242.204.245ipv4
- 38.242.237.196ipv4
- 38.242.245.147ipv4
- 83.171.249.231ipv4
- 161.97.129.25ipv4
- 161.97.135.154ipv4
- 161.97.163.87ipv4
- 161.97.186.175ipv4
- 161.97.187.42ipv4
- 193.187.129.143ipv4
- 213.136.80.73ipv4
- labs.cloudsecurityalliance.orgdomain