An unidentified group of hackers has been targeting computer systems already compromised by the cybercrime group TeamPCP, removing TeamPCP’s tools and taking over infected infrastructure as part of a new financially motivated hacking campaign uncovered by cybersecurity researchers.
According to a report published by SentinelOne, the newly identified operation has been named “PCPJack.”
Researchers said the attackers first gain access to systems previously breached by TeamPCP, then immediately remove TeamPCP malware and expel the original hackers from the compromised infrastructure.
After taking control of the systems, the attackers deploy self-replicating malicious code capable of spreading across cloud environments, stealing credentials, and transmitting stolen information back to attacker-controlled infrastructure.
Researchers Say Attackers May Have Links To TeamPCP
Alex Delamotte, who identified the campaign, said it remains unclear who is responsible for PCPJack.
Delamotte told TechCrunch that researchers are currently considering several possibilities, including former TeamPCP members, a rival cybercrime group, or another actor copying TeamPCP’s attack methods.
“The services targeted by PCPJack strongly resemble the December-January TeamPCP campaigns, before the alleged change in group membership that happened in February-March,” Delamotte said.
TeamPCP has recently been linked to several major cyberattacks, including breaches involving European Commission cloud systems and attacks connected to the vulnerability scanning platform Trivvy.
The Trivvy-related incidents reportedly affected organizations including LiteLLM and AI recruiting startup Mercor.
Cloud Services And Databases Targeted
SentinelOne said PCPJack operators do not exclusively target systems already breached by TeamPCP.
Researchers observed the group actively scanning the internet for exposed cloud infrastructure and online services, including Docker virtual machine platforms and MongoDB databases.
Even so, SentinelOne said the attackers appear primarily focused on infrastructure associated with TeamPCP operations.
According to the report, the attackers’ own malware tracks how many compromised systems they successfully remove TeamPCP from and sends that information back to the group’s infrastructure.
Campaign Focused On Credential Theft And Resale
Researchers said the PCPJack operation appears financially motivated.
The attackers steal credentials and monetize them through several methods, including reselling stolen login information, selling access to compromised systems as initial access brokers, or directly extorting victims.
Initial access brokers are cybercriminals who specialize in infiltrating networks and then selling that access to other attackers.
Delamotte said the group does not appear to deploy cryptocurrency mining malware, likely because credential theft and access sales produce faster financial returns.
SentinelOne also observed domains connected to phishing activity during some attacks.
According to Delamotte, the attackers used websites impersonating help desks and services associated with password managers in attempts to steal additional credentials from victims.
Featured image credits: SRS Networks
For more stories like it, click the +Follow button at the top of this page to follow us.