PCPJack Cloud Worm: Credential Theft Threat to SAMA Banks

SentinelLabs and Bleeping Computer disclosed this week a new self-propagating credential stealer named PCPJack that hunts exposed cloud workloads, exfiltrates secrets through Telegram, and even evicts rival cryptojacking malware to monopolize the host. For Saudi financial institutions accelerating their cloud-first strategies under SAMA's Open Banking Framework, the campaign is a sharp reminder that misconfigured cloud services are now first-class banking attack surfaces.

Inside the PCPJack Cloud Worm Campaign

PCPJack is described by researchers as a credential theft framework rather than a single binary. Once it lands on an exposed host, it scrapes credentials from cloud SDKs, container registries, developer pipelines, productivity tools, and — most concerning for the financial sector — embedded financial service tokens. The operator then uses those stolen tokens to laterally jump to additional hosts, behaving like a worm without requiring user interaction. Researchers have linked the toolkit's tradecraft to a former member of the TeamPCP cluster, suggesting an operator with mature offensive cloud experience.

What makes PCPJack particularly aggressive is its propagation set: it weaponizes five publicly disclosed flaws — CVE-2025-55182, CVE-2025-29927 (Next.js middleware bypass), CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703 — to chain into adjacent systems. Telegram is used as a covert command-and-control channel, which lets attackers blend traffic into approved messaging egress that many cloud security policies still ignore.

Why Cloud-Native Services Are the New Soft Target

The campaign explicitly targets Docker, Kubernetes, Redis, MongoDB, and RayML — exactly the stack Saudi banks increasingly run for fraud analytics, mobile banking microservices, and AI-driven KYC. A single exposed Kubernetes API server or unauthenticated Redis cache can expose service-account tokens that grant access to far more sensitive systems than the workload itself. The worm-like behavior means a single foothold can cascade across an entire cloud estate within minutes.

Eviction of rival miners (TeamPCP artifacts) is also significant. Defenders who thought a low-impact cryptominer was their worst-case scenario may now be facing a credential exfiltration operation hiding under the same alert noise. This is a classic "alert fatigue" exploitation pattern that bypasses traditional severity-based triage.

Impact on Saudi Financial Institutions Under SAMA and NCA

For SAMA-regulated banks, PCPJack maps directly to several control failures under the SAMA Cyber Security Framework: 3.3.5 (Identity and Access Management), 3.3.10 (Cryptography and Key Management) and 3.3.14 (Cyber Security Event Management). Stolen cloud credentials can enable the unauthorized data movement scenarios that PDPL Article 12 and the SAMA Open Banking risk requirements explicitly forbid. Under NCA ECC-2:2024 control 2-3-3, banks are also expected to detect anomalous lateral movement in cloud environments — exactly what Telegram-based C2 is designed to evade.

Banks operating in hybrid Aramco/STC datacenters or AWS Middle East (Bahrain) regions should treat this campaign as in-scope today, not as a future risk. Telegram traffic leaving production VPCs is a near-certain indicator of compromise.

Recommendations and Practical Steps

1. Patch the five CVEs immediately on all internet-facing workloads, with particular focus on Next.js (CVE-2025-29927) middleware deployments used in customer-facing portals.
2. Audit Kubernetes API servers, Redis, and MongoDB instances for unauthenticated exposure using Trivy, kube-bench, or a SAMA-aligned cloud posture management tool.
3. Rotate all cloud service-account credentials, container registry tokens, and CI/CD secrets that may have been cached on Linux hosts in the past 30 days.
4. Block outbound Telegram (api.telegram.org and known bot endpoints) from all production VPCs and flag any historical egress for forensic review.
5. Deploy runtime cloud workload protection (Falco, SentinelOne CWPP, or equivalent) with rules for in-memory credential scraping behavior and unexpected child-process spawning from container init.
6. Map detection coverage to SAMA CSCC 3.3.14 and update your CISO-level cyber risk register with PCPJack as an active threat scenario.

Conclusion

PCPJack is a clear signal that worm-like cloud credential theft is no longer theoretical — it is operational and indiscriminate. Saudi banks moving regulated workloads to cloud must treat container and orchestration layers with the same scrutiny historically reserved for SWIFT terminals.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on your cloud-native attack surface.