SentinelOne and Hunt.io have detailed PCPJack, a credential-theft framework that hijacks cloud servers across AWS, Google Cloud, and Azure into a covert SMTP relay network - while terminating artifacts of the rival TeamPCP group. Built around a Sliver-integrated SMTP proxy toolkit with Chisel tunneling for multiple Linux architectures, it drops a hidden binary at /var/tmp/.xs and assigns each Sliver beacon a SOCKS5 port derived from an MD5 of its UUID. A deployer script runs an SMTP 'quality gate' probing outbound smtp.gmail.com:587 - hosts that cannot relay email are discarded. A C2-side Python daemon continuously prunes Chisel tunnels for SMTP capability. Around 230 servers were compromised.
BleepingComputer and The Hacker News disclosed a new credential-stealing worm called PCPJack that hunts and removes the well-established TeamPCP malware family before installing itself - the first observed case of one cybercrime operation systematically displacing another at scale. PCPJack exploits five separate vulnerabilities to spread worm-like across cloud and Linux environments, then steals SSH keys, AWS credentials, GitHub tokens, and other secrets. Operators replace TeamPCP files in place rather than just disabling them, suggesting an attempt to inherit TeamPCP's existing victim base. The pattern signals a maturing cybercrime market.