A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP’s access to the systems.

Among the targeted services are Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications. In many cases, the threat actor moves laterally on the network.

SentinelLabs researchers say that PCPJack appears designed for large-scale credential theft, and likely monetizes its activity via financial fraud, spam operations, credential resale, or extortion.