A Cloud Worm Is Hunting Another Cloud Worm. PCPJack Evicts TeamPCP and Steals the Credentials Itself — and the Domain It Exfiltrates To Has Been in Our Index Since April 4.

The thing that makes this story worth your time is not that another credential-stealing worm is loose in the cloud. It is who the worm is hunting. Security researchers at Hunt.io and SentinelOne have documented a campaign tracked as PCPJack that hijacked roughly two-hundred-thirty servers across Amazon Web Services, Google Cloud, and Microsoft Azure and stitched them into a covert SMTP email-relay network — a distributed machine for sending mail that looks like it comes from legitimate cloud tenants. Hunt.io found it the way these things usually get found: the operator left two directories on an internet-facing command-and-control server open with no password, and inside were the source code, the malware binaries, the deployment logs, the scanning tools, and a live Sliver C2 configuration. The version-3 state file logged two-hundred-thirty successful uploads and executions in a single March deployment run. That is the boring half. Here is the half that matters: before PCPJack steals your credentials, it evicts a rival. It finds TeamPCP's implants on the box, kills the processes, removes the artifacts, and only then takes over. BleepingComputer's headline said it plainly — a new worm that steals credentials and cleans TeamPCP infections. The cloud is now crowded enough that the malware is fighting the malware for the same boxes.

If you have read us this year you know TeamPCP. We have a full indicator set on them going back to March — the cat.py macOS backdoor Sophos recovered, the IP and typosquat domains, the github-ci and actions-bot lookalike domains they use to impersonate CI/CD infrastructure, even the xploitrsturtle2 handle they used to taunt GitHub after a breach. TeamPCP's whole identity is supply-chain credential theft: poison a security scanner or a CI/CD package, harvest the cloud credentials that flow through it, sell or reuse the access. PCPJack targets the same terrain — exposed Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web apps — but with a different monetization at the end of it. It does not just steal; it conscripts the machine into an SMTP relay, syncing its verified proxies every five minutes so the spam-and-phishing pipe stays scalable and hard to blocklist. It persists as a hidden dot-file at /var/tmp/.xs and ships Chisel tunneling and Sliver beacons compiled for AMD64, ARM64, and x86 so it runs on whatever Linux it lands on. SentinelLabs' read is the one that turns this from a curiosity into a pattern: PCPJack was most likely built by a former TeamPCP affiliate or member who spun up their own operation. A defector who knows the tooling, the targets, and the tradecraft — and is now using all three against the crew they left.

Here is our receipt, and we want to be precise about what it is and is not. PCPJack exfiltrates stolen data to a vendor-themed typosquat domain, checkmarx[.]zone — a domain that public reporting ties to TeamPCP's own operations, which is itself a tell about how entangled these two are. That domain has been in our IOC index since April 4, 2026, flagged off the SSL Blacklist feed as malicious command-and-control. The related checkmarx[.]cx audit and telemetry infrastructure landed in our corpus on April 24. We are not claiming we named PCPJack — SentinelOne did that, and Hunt.io did the work of pulling the operation apart from its own exposed server. What we are claiming is narrower and verifiable: the shared infrastructure that connects these two crews was sitting in our feed, tagged as hostile, two months before the worm-versus-worm story broke. A defender consuming our STIX feed in early April would have been blocking the checkmarx[.]zone exfil channel before anyone published the name attached to it. That is the entire point of indexing where the exploits and the infrastructure stage rather than waiting for the vendor write-up — the indicator is useful the day it is malicious, not the day it is famous.

Now the shape, because the shape is the part that predicts the next one. This is the trust lifecycle running its course inside the criminal ecosystem itself, and it is the same arc we have traced through dark markets, exchanges, and ransomware brands: a crew proves a capability, the capability attracts members, a member learns enough to leave, and the defector turns the insider knowledge into a competing operation that cannibalizes the original. PCPJack is not attacking enterprises in a vacuum — it is attacking TeamPCP's installed base, because TeamPCP already did the hard work of compromising those cloud boxes, and re-compromising a box someone else already opened is cheaper than finding a virgin target. Cloud credential theft has matured into a market with enough margin that it now has competitors, turf, and hostile takeovers. The eviction routine is not malice for its own sake; it is a business removing a rival from contested inventory. When that happens in a legal market we call it consolidation. The mechanics are identical.

The defender takeaway is blunt and does not depend on which worm wins. If you run cloud workloads, the exposure that lets either of these crews in is the same exposure: an internet-reachable Docker socket, an unauthenticated Redis or MongoDB, a Kubernetes API with weak RBAC, a RayML dashboard with no auth, a web app with a known unpatched flaw. Hunt that surface tonight. Look for the persistence: a hidden file at /var/tmp/.xs, unexpected Sliver or Chisel processes, outbound SMTP from hosts that have no business sending mail, and proxy traffic syncing on a five-minute cadence. Block the shared infrastructure — checkmarx[.]zone and the checkmarx[.]cx telemetry endpoints are in our free STIX feed already, alongside the TeamPCP indicator set. And rotate any cloud credential that lived on an exposed service, because both crews are credential harvesters first; the SMTP relay and the supply-chain poisoning are just what they do with the keys after they have them.

The honest 95%: we cannot independently confirm SentinelLabs' assessment that PCPJack is a TeamPCP defector rather than an unrelated crew that simply learned to evict a competitor — that attribution is theirs, it is reasoned, and we are repeating it as the most credible read, not as our own finding. We cannot tell you the node count is final; an operation discovered through its own open directory is an operation still in motion, and two-hundred-thirty is the number from one March state file, not a census. And we cannot promise this is the last defector worm, because the conditions that produced it — a mature criminal market with portable tooling and contested cloud inventory — are not going away. What we can tell you is that the domain the new worm trusts with its stolen data was in our index, tagged hostile, on April 4. The worms change names and turn on each other. The infrastructure leaves a trail, and we were already standing on it.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register