In a rare twist on the typical cybersecurity narrative, malicious actors are turning their weapons against each other. A new report from cybersecurity firm SentinelOne reveals an unusual campaign dubbed “PCPJack,” where an unknown group of hackers is systematically targeting systems already compromised by TeamPCP, a prolific cybercrime syndicate.
Rather than attacking innocent corporations or individuals, these intruders are breaking into environments TeamPCP has already infected, forcibly ejecting the original attackers, removing their tools, and seizing control for themselves. This phenomenon highlights a growing trend in the cyber underworld: competition for compromised infrastructure is becoming as fierce as competition for victims.
The Mechanics of “PCPJack”
The PCPJack operation functions like a digital eviction notice. Once the hackers gain entry to a system under TeamPCP’s control, they immediately deploy code designed to:
- Displace the incumbent: Remove TeamPCP’s malicious tools and kick out their access.
- Spread laterally: Replicate across cloud infrastructure using worm-like techniques.
- Harvest credentials: Steal login data and other sensitive information.
- Exfiltrate data: Send the stolen assets back to the PCPJack operators’ own servers.
SentinelOne researchers noted that the attackers’ tools even keep a running tally of successful evictions, sending this metric back to their command-and-control infrastructure. This suggests a highly organized operation focused on efficiency and scale.
Who Is Behind the Attack?
The identity of the PCPJack group remains unknown, but SentinelOne senior researcher Alex Delamotte has proposed three likely scenarios:
- Disgruntled Insiders: Former members of TeamPCP seeking revenge or cutting off their former employers.
- Rival Criminal Groups: Competing syndicates looking to steal high-value targets from TeamPCP.
- Mimicry Attackers: A third party that studied TeamPCP’s methods and built tools specifically designed to counter or copy them.
“The services targeted by PCPJack strongly resemble the December-January TeamPCP campaigns,” Delamotte explained, noting that the timing suggests a direct response to TeamPCP’s peak activity before alleged internal changes in the group.
Why Target Hackers?
The motivation behind PCPJack appears to be purely financial. By stealing credentials from systems already breached by TeamPCP, the hackers are not trying to create new entry points but rather to monetize existing ones. Their methods include:
- Reselling Credentials: Selling stolen login details on dark web markets.
- Initial Access Brokering: Selling access to compromised systems to other criminals who want to launch ransomware or data theft campaigns.
- Direct Extortion: Blackmailing the original victims (the corporations) for ransom.
Notably, the hackers avoid cryptocurrency mining. According to Delamotte, mining requires significant time and resources to yield returns, whereas credential theft and access brokering offer faster, higher-margin profits.
The Broader Context: TeamPCP’s Rise
To understand the significance of PCPJack, it is necessary to look at TeamPCP, the group being targeted. In recent weeks, TeamPCP has gained notoriety for high-profile breaches, including:
- A compromise of the European Commission’s cloud infrastructure.
- A widespread attack on Trivy, a popular vulnerability scanner. This attack cascaded to affect companies relying on Trivy, such as LiteLLM and AI recruiting startup Mercor.
Because TeamPCP has been aggressively targeting cloud infrastructure, their compromised systems represent a “low-hanging fruit” for other criminals. PCPJack is essentially harvesting the ripe fruit planted by TeamPCP.
Beyond TeamPCP: Scanning the Wider Internet
While PCPJack focuses heavily on displacing TeamPCP, the group is not limited to this niche. They also actively scan the internet for exposed services, including:
- Docker virtual machine platforms
- MongoDB databases
- Other unprotected cloud services
This dual approach allows them to maintain a steady stream of new targets while simultaneously engaging in turf wars with rival criminal groups.
The Phishing Component
In addition to direct hacking, PCPJack employs social engineering tactics. Researchers identified the use of domains designed to mimic password managers and fake help desk websites. These phishing attempts aim to trick users into voluntarily surrendering their credentials, which are then used to access or further compromise systems.
Conclusion
The emergence of PCPJack underscores a critical reality: cybersecurity is not just about defending against external threats, but also about the chaotic ecosystem of criminal competition. When hackers attack other hackers, the end result for the original victim corporation is often the same—data theft, financial loss, and reputational damage. For businesses, this means that even if a breach is initially caused by one group, the system may be passed through multiple hands, complicating incident response and recovery efforts.
