EntrarThe post Self-Spreading TCLBANKER Trojan Hijacks WhatsApp to Drain Accounts appeared first on Daily CyberSecurity.
Visualização de leitura
North Korean “Laptop Farms” Infiltrated 70 U.S. Companies
The post North Korean “Laptop Farms” Infiltrated 70 U.S. Companies appeared first on Daily CyberSecurity.
Related posts:
Dirty Frag: A new Linux privilege escalation vulnerability is already in the wild
Dirty Frag: unpatched Linux kernel flaw grants root access on Ubuntu, RHEL and Fedora. A working exploit is already public.
Security researchers have disclosed a new unpatched vulnerability in the Linux kernel, code-named Dirty Frag, that allows an unprivileged local user to gain full root access on most major Linux distributions, including Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream.
Dirty Frag is related to the Dirty Pipe family of vulnerabilities but is independent of the Copy Fail mitigation, meaning systems that already applied the algif_aead blacklist remain fully exposed.
“[the flaw] can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.” reads the advisory. “Dirty Frag is a case that extends the bug class to which Dirty Pipe and Copy Fail belong. Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.”
The researcher Hyunwoo Kim (@v4bel) first disclosed the vulnerability.
“What both vulnerabilities have in common is that, on a zero-copy send path where splice() plants a reference to a page cache page that the attacker only has read access to into the frag slot of the sender side skb as is, the receiver side kernel code performs in-place crypto on top of that frag.” reads the analysis. “As a result, the page cache of files that an unprivileged user only has read access to (such as /etc/passwd or /usr/bin/su) is modified in RAM, and every subsequent read sees the modified copy.”
What makes Dirty Frag particularly dangerous is its reliability. Unlike many kernel exploits that depend on precise timing windows or race conditions, this is a deterministic logic bug. It doesn’t panic the kernel on failure, and its success rate is described as very high. A working proof-of-concept is already public, reducing exploitation to a single command.
The disclosure itself was complicated: the embargo broke early after a third party published detailed technical information and the exploit code without coordination. No CVE identifier has been assigned yet.
“Chaining the two variants makes the blind spots cover each other. In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works” concludes the report.
Until official patches are available, the recommended workaround is to blocklist the esp4, esp6, and rxrpc kernel modules to prevent them from loading.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Dirty Frag)
Nation-state actors exploit Palo Alto PAN-OS zero-day for weeks
Palo Alto says hackers exploited PAN-OS zero-day CVE-2026-0300 for weeks, gaining root access to exposed firewalls and hiding traces.
Palo Alto Networks warned that suspected state-sponsored hackers have been exploiting the critical PAN-OS zero-day CVE-2026-0300 for nearly a month. After exploiting the flaw, attackers deployed tunneling tools such as EarthWorm and ReverseSocks5, used stolen credentials to probe Active Directory, and deleted logs and other evidence to hide the intrusion.
“We are aware of only limited exploitation of CVE-2026-0300 at this time. Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300. The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution (RCE) in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process.” reads the advisory by the cybersecurity vendor. “Post-exploitation activity includes deployment of publicly available tunneling tools (EarthWorm, ReverseSocks5), Active Directory enumeration using credentials likely obtained from the firewall, and the systematic destruction of logs and other evidence of compromise.”
EarthWorm has been used in past attacks associated with several China-linked threat actors, including , APT41, CL-STA-0046, and Volt Typhoon.
The flaw is a buffer overflow that allows unauthenticated remote code execution, especially when the User-ID portal is exposed to the internet.
“A buffer overflow vulnerability in the User-ID
Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the advisory published by Palo Alto Networks. “The risk of this issue is greatly reduced if you secure access to the User-ID Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.”
This week, Palo Alto Networks has warned that the critical PAN-OS vulnerability CVE-2026-0300 is actively exploited in the wild.
Below is the list of impacted products:
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.4-h5 < 12.1.7 | >= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28) |
| PAN-OS 11.2 | < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 | >= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28) |
| PAN-OS 11.1 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 | >= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28) |
| PAN-OS 10.2 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 | >= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13) |
| Prisma Access | None | All |
The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.
Palo Alto Networks says the flaw is being exploited in a limited way, mainly against systems where the User-ID Authentication Portal is exposed to the public internet.
The flaw remains unpatched, with fixes expected from May 13, 2026. It affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal. Palo Alto Networks notes risk is much lower for organizations that follow best practices, like limiting access to trusted internal networks only.
“Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.” concludes the advisory. “Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk.”
EarthWorm is an open-source tunneling tool written in C that works across Windows, Linux, macOS, and ARM/MIPS platforms. It acts as a SOCKS5 proxy and port-forwarding utility, enabling attackers to create covert communication channels, bypass network restrictions, and move laterally within compromised environments. Its features include forward and reverse SOCKS5 tunnels, port bridging, traffic forwarding, and multi-hop tunneling for protocols such as RDP and SSH. The tool has previously been linked to threat groups including Volt Typhoon and APT41.
ReverseSocks5 is another open-source networking tool designed to bypass firewalls and NAT protections by creating outbound connections from compromised systems to attacker-controlled servers. Once connected, it establishes a SOCKS5 proxy tunnel that allows remote access into the internal network. While commonly used by administrators for legitimate remote management, threat actors also abuse it for stealthy pivoting and post-compromise operations.
“The reliance of the attackers behind CL-STA-1132 on open-source tooling, rather than proprietary malware, minimized signature-based detection and facilitated seamless environment integration. This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multi-week period, intentionally remained below the behavioral thresholds of most automated alerting systems.” concludes Palo Alto Networks. “The lateral movement technique prioritized identity trust abuse over traditional network-layer pivoting, effectively reducing the attacker’s footprint. Consequently, this campaign demonstrates that operational restraint—specifically the use of non-persistent access windows—is a primary factor in maintaining long-term residency on edge infrastructure.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PAN-OS)
U.S. CISA adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS score of 7.1), to its Known Exploited Vulnerabilities (KEV) catalog.
Ivanti warns customers of a high‑severity zero‑day vulnerability, tracked as CVE‑2026‑6973, in Endpoint Manager Mobile that is already being exploited.
“At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation.” reads the advisory. “We are not aware of any customers being exploited by the other vulnerabilities disclosed today.”
The flaw, caused by improper input validation, allows attackers with admin privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier. Customers are urged to patch immediately to prevent compromise.
Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability. The vulnerability doesn’t affect Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by May 10, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
Cisco patches high-severity flaws enabling SSRF, code execution attacks
Cisco fixed several high‑severity flaws in its enterprise products, including SSRF bugs in Unity Connection that could enable code execution or service disruption.
Cisco released patches for multiple high‑severity vulnerabilities affecting its enterprise products. Successful exploitation could allow code execution, server‑side request forgery (SSRF), or denial‑of‑service attacks. Two notable flaws, CVE‑2026‑20034 and CVE‑2026‑20035, impact Cisco Unity Connection. Attackers can exploit them to trigger SSRF attacks.
“Multiple vulnerabilities in Cisco Unity Connection could allow a remote attacker to execute arbitrary code on or conduct server-side request forgery (SSRF) attacks through an affected device.” reads the advisory published by Cisco.
CVE‑2026‑20034 is a flaw in Cisco Unity Connection that allows an authenticated remote attacker to run arbitrary root‑level code on the device. The issue stems from improper validation of user input, letting an attacker send a crafted API request to fully compromise the system. Cisco has released fixes, and no workarounds exist.
“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request.” reads the advisory. “A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of a targeted device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device.”
CVE-2026-20035 flaw in Cisco Unity Connection Web Inbox UI allows an unauthenticated remote attacker to perform SSRF attacks. The issue comes from improper validation of certain HTTP requests. By sending a crafted request, an attacker could make the device send arbitrary network traffic on their behalf, potentially accessing internal services.
“A vulnerability in the web UI of Cisco Unity Connection Web Inbox could allow an unauthenticated, remote attacker to conduct SSRF attacks through an affected device.” reads the advisory.
“This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device.”
Below are the impacted releases:
| Cisco Unity Connection Release | First Fixed Release |
|---|---|
| 12.5 and earlier | Migrate to a fixed release. |
| 14.0 | 14SU5 |
| 15.0 | 15SU4 or apply patch file:1 ciscocm.cuc.V15_CSCwq36774-CSCwq36834_C0277-1.zip |
Cisco PSIRT said it is not aware of any public reports or active malicious exploitation of these vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Unity Connection)
Hackers Abuse Signed Logitech Installer to Deploy TCLBANKER Banking Trojan
A new banking trojan known as TCLBANKER has been quietly making rounds, and its delivery method is as clever as it is concerning. Attackers are using a trojanized version of a legitimate, digitally signed installer to slip malware onto victims’ machines without raising immediate suspicion.
The campaign, tracked as REF3076, bundles a malicious MSI installer inside a ZIP file and exploits the trust people place in recognizable software names.
The infection begins when a victim runs what appears to be a legitimate Logitech application installer. Inside the package, threat actors have weaponized the Logi AI Prompt Builder, abusing a technique called DLL sideloading to sneak a malicious file into the process. Once the application starts, it automatically loads the harmful DLL without the user ever knowing anything went wrong.
Analysts at Elastic Security Labs identified this new Brazilian banking trojan, assessing it to be a significant evolution of an older malware family known as MAVERICK and SORVEPOTEL. The campaign appears to be in its early stages, with developer artifacts and an incomplete phishing page suggesting the attackers are still actively building out their infrastructure.
.webp)
TCLBANKER primarily targets users in Brazil, specifically those who visit banking, fintech, and cryptocurrency websites. The trojan monitors the victim’s browser in real time, watching for visits to any of 59 targeted financial domains.
Hackers Abuse Signed Logitech Installer
When a match is found, it opens a live connection to the attacker’s command server and puts the operator in full control.
The scope of potential damage goes well beyond simple credential theft. The malware can display fake full-screen overlays that look like real banking interfaces, freeze the apparent desktop to confuse victims, and kill the Task Manager to prevent users from ending the malicious process. It is a coordinated operation designed to make fraud feel seamless from the attacker’s side.
.webp)
The attackers took care to make the infection chain look as normal as possible. The malicious ZIP file contains an MSI installer that mimics the legitimate Logi AI Prompt Builder, a real Flutter-based application.
When installed, the trojanized package drops a fake DLL called screen_retriever_plugin.dll, which masquerades as a genuine Flutter plugin and gets loaded automatically at startup.
The loader inside this DLL is packed with tricks to avoid detection. It checks whether the system is running inside a sandbox or virtual machine, verifies that the user’s default language is Brazilian Portuguese, and even measures timing to catch emulation frameworks that speed up sleep calls.
.webp)
If anything seems off, the malware simply stops running without leaving obvious traces. This environment-gating approach means the payload only decrypts itself on real, qualifying machines.
Self-Spreading Worm Modules Amplify the Threat
What makes TCLBANKER particularly dangerous is not just what it does on a single machine, but how far it can spread from there. The malware comes with two worm modules designed to send itself to the victim’s contacts using channels those contacts already trust.
The first hijacks the victim’s active WhatsApp Web session in the browser, silently messaging Brazilian contacts with a link to download the malware. The second abuses Microsoft Outlook through automation, sending phishing emails directly from the victim’s own email account.
Because these messages come from real, known senders, they are far harder for security filters to catch. The Outlook bot first harvests the victim’s contact list, then sends targeted emails that look completely authentic.
Elastic researchers noted that all command and file-serving infrastructure runs on Cloudflare Workers under a single account, making it easy for operators to rotate infrastructure quickly when needed.
Organizations and individuals can take several steps to reduce exposure. Keeping security software updated ensures the latest detection signatures are in place.
Being cautious about ZIP files or MSI installers received through messaging apps or email, even from known contacts, is critical given this trojan’s self-spreading behavior. Monitoring for unusual scheduled tasks, unexpected DLL loads alongside legitimate software, and suspicious outbound connections can also help flag infections early.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626 | TCLBanker loader component (screen_retriever_plugin.dll) |
| SHA-256 | 8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059 | TCLBanker loader component (screen_retriever_plugin.dll) |
| SHA-256 | 668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40 | TCLBanker loader component (screen_retriever_plugin.dll) |
| SHA-256 | 63beb7372098c03baab77e0dfc8e5dca5e0a7420f382708a4df79bed2d900394 | TCLBanker initial ZIP file (XXL_21042026-181516.zip) |
| Domain | campanha1-api.ef971a42[.]workers.dev | TCLBanker C2 |
| Domain | mxtestacionamentos[.]com | TCLBanker C2 |
| Domain | documents.ef971a42.workers[.]dev | TCLBanker file server |
| Domain | arquivos-omie[.]com | TCLBanker phishing page (under development) |
| Domain | documentos-online[.]com | TCLBanker phishing page (under development) |
| Domain | afonsoferragista[.]com | TCLBanker phishing page (under development) |
| Domain | doccompartilhe[.]com | TCLBanker phishing page (under development) |
| Domain | recebamais[.]com | TCLBanker phishing page (under development) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abuse Signed Logitech Installer to Deploy TCLBANKER Banking Trojan appeared first on Cyber Security News.
DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools
A new open-source cybersecurity platform called DarkMoon has emerged as a significant advancement in autonomous penetration testing.
It provides security teams and DevSecOps professionals with a fully AI-powered vulnerability assessment system. DarkMoon integrates over 50 specialized offensive security tools, all managed through a controlled execution interface.
DarkMoon is an automated penetration testing platform that uses artificial intelligence to orchestrate complete security assessments without manual intervention.
Unlike traditional vulnerability scanners, DarkMoon deploys a multi-agent AI architecture where specialized sub-agents reason, plan, and execute real offensive security operations through a controlled Model Context Protocol (MCP) interface, a gatekeeper layer that ensures the AI never directly touches the underlying system.
The platform aligns with recognized security frameworks, including ISO 27001, NIST SP 800-115, and the MITRE ATT&CK methodology, making it a standards-compliant option for organizations seeking repeatable, evidence-based assessments.
DarkMoon AI-Powered Platform
When a target is provided via the command line, DarkMoon automatically progresses through a multi-phase assessment: discovering open ports and services, fingerprinting the technology stack, modeling the attack surface, and then deploying specialized sub-agents based on what it detects.
The platform dynamically triggers agents tailored to discovered technologies:
- CMS Agent — activates for WordPress, Drupal, Joomla, Magento, and Moodle environments
- Stack-Specific Agent — targets PHP, Node.js, Flask, ASP.NET, Spring Boot, and Ruby on Rails
- Active Directory Agent — covers NetExec, BloodHound, and 30+ Impacket scripts
- Kubernetes Agent — uses kubectl, Kubescape, and Kubeletctl
- GraphQL Agent — handles GraphQL-specific attack surfaces
- Headless Browser Agent — deployed when browser rendering is required
Multiple agents can execute in parallel across a hybrid infrastructure, significantly accelerating assessment timelines compared to sequential manual testing.
DarkMoon ships with a purpose-built Docker image housing over 50 compiled security tools organized by category.
Port scanning is handled by Naabu and Masscan; web application testing leverages Nuclei, ffuf, sqlmap, Arjun, and wafw00f; reconnaissance uses Subfinder, Katana, Waybackurls, and httpx; CMS testing relies on WPScan and CMSeeK; and network enumeration employs Hydra, dig, and SNMP tooling.
All tools are accessible inside the Docker toolbox without path configuration — the AI reasons and plans, the MCP controls execution, and the Docker container runs the tools in isolation.
DarkMoon is designed for security teams running continuous automated testing, DevSecOps engineers integrating security into CI/CD pipelines, bug bounty hunters accelerating target analysis, and security researchers exploring adaptive attack surfaces in real time.
The platform supports bug bounty mode natively, with command-line flags such as FOCUS, EXCLUDE, SEVERITY, and FORMAT=h1 interpreted directly by the AI agent.
DarkMoon is available on GitHub at github.com/ASCIT31/Dark-Moon and requires only Docker, Docker Compose, and an LLM API key from providers such as Anthropic, OpenAI, or OpenRouter with local model support via Ollama and llama.cpp also available.
The platform represents a broader industry trend toward autonomous AI-driven penetration testing that scales beyond the limits of human-only security teams.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
The post DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools appeared first on Cyber Security News.
Trellix Breach – RansomHouse Claims Access to Parts of Source Code
Trellix, the global cybersecurity firm formed from the merger of McAfee Enterprise and FireEye, has confirmed unauthorized access to a portion of its source code repository, with the RansomHouse ransomware group formally claiming responsibility for the attack.
Trellix reported a data breach involving unauthorized access to a portion of its source code repository, which was disclosed publicly around May 2, 2026.
Upon discovering the intrusion, Trellix immediately engaged leading forensic experts to investigate and has notified law enforcement authorities.
In an official statement published on its website, the company said: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited”.
The RansomHouse ransomware group formally named Trellix on its dark web leak site, claiming the compromise occurred on April 17, 2026.
The group published multiple screenshots reportedly demonstrating access to Trellix’s internal services and management dashboards, though they have not specified the volume of data exfiltrated or its nature.
Notably, RansomHouse listed the breach status as “Evidence Depends on You,” a hallmark tactic used to pressure victims into negotiations before releasing stolen data publicly.
RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.
The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.
RansomHouse distinguishes itself by positioning itself as a “professional mediator community,” often seeking payment for data deletion rather than decryption.
The full extent of the data exposure remains unspecified, and Trellix has not confirmed whether corporate or customer data beyond source code was accessed.
Preliminary investigations indicate no evidence that the software distribution pipeline or customer-facing products were tampered with.
The incident highlights the growing trend of ransomware groups targeting cybersecurity vendors themselves, organizations whose proprietary source code, if weaponized, could have far-reaching consequences for enterprise defenses globally.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
The post Trellix Breach – RansomHouse Claims Access to Parts of Source Code appeared first on Cyber Security News.
New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft
A sophisticated new malware framework called PCPJack has been found actively targeting cloud environments across the internet, hunting for exposed services and stripping away credentials at scale.
The worm zeroes in on Docker, Kubernetes, Redis, and MongoDB deployments, turning misconfigured or vulnerable systems into footholds for credential theft and financial fraud. What sets it apart from most cloud-targeting malware is its unusual decision to skip cryptocurrency mining entirely, suggesting the operators are focused on a different kind of profit.
PCPJack starts its infection chain with a shell script called bootstrap.sh, which runs quietly on Linux-based cloud systems. That script prepares the environment, installs Python, downloads six specialized modules, sets up persistence, and launches the main orchestrator.
One of its first actions is to scan for and actively remove all traces of a rival threat group called TeamPCP, essentially taking over compromised machines that someone else had already infected, making it unusually competitive among cloud threat actors.
Researchers at SentinelOne identified PCPJack as a credential theft framework with worm-like spreading capabilities. According to SentinelOne security researcher Alex Delamotte, the toolset “harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.”
The research team believes the actor behind PCPJack may be a former TeamPCP member who left the group and started their own separate operation, given the technical overlap found between both campaigns.
The malware collects an unusually wide range of secrets, including SSH keys, Slack tokens, WordPress database credentials, OpenAI and Anthropic API keys, cloud provider tokens, and cryptocurrency wallet files.
.webp)
It then encrypts all stolen data using X25519 ECDH and ChaCha20-Poly1305 before sending it to a Telegram channel, broken into small chunks to comply with message size limits. The attacker even tracks whether their cleanup of TeamPCP infections was successful, signaling deliberate and targeted competitive intent rather than opportunistic attack behavior.
PCPJack’s Worm-Like Propagation and CVE Exploitation
PCPJack spreads by actively scanning external cloud infrastructure for exposed services including Docker, Kubernetes, Redis, MongoDB, and RayML. The worm downloads hostname data from Common Crawl parquet files and uses them as scanning targets, letting it discover new victims without hardcoding any addresses directly into the code.
This design allows the attacker to cover up to 104 million potential entries during each cycle without requiring centralised coordination.
The worm exploits five publicly known vulnerabilities to break into new systems. These include CVE-2025-29927, an authentication bypass in Next.js middleware; CVE-2025-55182, a server-side deserialization flaw in React and Next.js known as “React2Shell”; CVE-2026-1357, an unauthenticated file upload vulnerability in WPVivid Backup; CVE-2025-9501, a PHP injection flaw in W3 Total Cache; and CVE-2025-48703, a shell injection issue in CentOS Web Panel.
Once inside, the worm harvests SSH keys and moves laterally by enumerating Kubernetes clusters and Docker daemons, then replicating itself to every reachable host.
Sliver Backdoor and Enterprise-Wide Credential Targeting
SentinelOne’s analysis also uncovered a Sliver-based backdoor on the attacker’s staging server, compiled in three variants to support x86_64, x86, and ARM system architectures. This backdoor grants the operator persistent remote access even after initial exploitation ends.
The binaries are saved locally as update.bin, update-386.bin, and update-arm.bin, designed to blend in with legitimate system maintenance file names to avoid immediately raising suspicion.
.webp)
Beyond cloud infrastructure, PCPJack also targets messaging platforms, financial services, and enterprise productivity tools. The malware scans for credentials tied to services like Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password, expanding potential damage far beyond a single environment. This wide reach points toward extortion, spam campaigns, and credential resale as the most likely endgame.
.webp)
To reduce exposure, security teams should enforce multi-factor authentication across all cloud accounts and services. Using IMDSv2 in AWS environments is recommended to prevent metadata theft, and proper authentication must be enforced for Docker and Kubernetes API endpoints.
Organisations should follow least-privilege principles, avoid storing secrets in plaintext, and regularly audit environment variables and configuration files for sensitive data.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft appeared first on Cyber Security News.
