PCPJack Campaign Targeting ContainerInfrastructure

PCPJack Campaign Targeting Container
You are here:

EXECUTIVE SUMMARY

A newly identified Linux-based malware framework named PCPJack has been observed targeting exposed cloud infrastructure and containerized environments by exploiting misconfigured or vulnerable services such as Docker, Kubernetes, Redis, MongoDB, RayML, Next.js applications, and vulnerable WordPress plugins. Once deployed, the malware is capable of stealing API keys, SSH secrets, and cloud authentication tokens while enabling persistence, lateral movement, and encrypted data exfiltration through Telegram-based command-and-control (C2) channels. Researchers identified the malware operating at scale against publicly exposed cloud workloads, posing significant risks to organizations relying on cloud-native and con-tainerized environments.

  • Threat Name: PCPJack
  • Threat Type: Linux Malware / Cloud Worm
  • Active Region: Global
  • Affected Sector: Cloud Services, SaaS, IT, DevOps, Hosting Providers
  • Affected Product: Docker, Kubernetes, Redis, MongoDB, RayML, Next.js, WordPress Plugins
  • Severity: High
  • Published Date: May 11, 2026

TECHNICAL DETAILS

PCPJack operates through a modular Python-based framework deployed on compromised Linux systems. The malware targets exposed cloud services, vulnerable web applications, and insecure containerized en-vironments to establish persistence, harvest credentials, perform reconnaissance, and propagate laterally across cloud-native infrastructures.

  • Target: Docker daemons, Kubernetes clusters, Redis servers, MongoDB databases, RayML deployments, Linux cloud workloads, exposed web applications, and cloud-hosted developer environments.
  • Root Cause: Public exposure of cloud services and management interfaces, weak or default credentials, insecure Docker and Kubernetes configurations, improper RBAC permissions, exposed Redis/MongoDB instances, lack of network segmentation, and failure……

Download the Report

Date

Share

Previous Reports