PCPJack Cloud Worm: Credential Theft Threat to SAMA Banks

SentinelLabs disclosed this week a new self-propagating malware framework named PCPJack that worms across exposed cloud infrastructure, evicts the older TeamPCP threat actor, and exfiltrates credentials at scale. For SAMA-regulated banks running hybrid or public cloud workloads, the campaign represents a direct violation vector against multiple SAMA CSCC and NCA ECC control families.

What PCPJack Does Differently

PCPJack is not a simple cryptominer or commodity stealer. The framework actively scans the open internet for misconfigured Docker daemons, unauthenticated Kubernetes API endpoints, exposed Redis and MongoDB instances, and vulnerable RayML clusters. Once it lands on a host, it harvests SSH keys, AWS metadata service tokens, GitHub personal access tokens, Slack webhooks, Stripe API keys, and Gmail/Outlook session artifacts, then uses them to laterally move into peer cloud accounts.

The campaign began the week of April 20, 2026, and according to SentinelLabs telemetry, PCPJack chains five known vulnerabilities for initial access: CVE-2025-29927 (Next.js middleware bypass), CVE-2025-55182 (React2Shell), CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703. A particularly innovative tactic is its use of Common Crawl parquet files for low-noise target discovery, bypassing traditional internet-scan detection signatures.

Persistence Tradecraft on Linux Cloud Hosts

On compromised Docker hosts, PCPJack deploys a privileged container that escapes onto the underlying node and writes a bootstrap.sh persistence script. On Redis, it abuses the well-known CONFIG SET technique to write cron entries. On RayML, it submits a weaponized job that runs with the cluster service account. For Kubernetes and MongoDB, the operator opts for credential harvesting only — a quieter pattern that keeps the dwell time longer and makes detection through behavioral baselines harder.

The framework also explicitly removes TeamPCP artifacts before installing its own. This eviction behavior reduces noise and gives defenders a false sense of remediation when their existing TeamPCP indicators stop firing.

Why This Matters to Saudi Financial Institutions

Saudi banks and fintechs have aggressively migrated digital banking, KYC pipelines, and open-banking APIs to AWS Bahrain, Azure UAE North, and Google Cloud Dammam regions. Many of these workloads run Kubernetes clusters with secrets stored in etcd, Redis caches sitting behind permissive security groups, and CI/CD runners with broad cloud IAM roles — exactly the attack surface PCPJack was built to harvest. A successful credential theft on a CI/CD runner can hand an attacker the keys to production payment processing systems.

From a regulatory standpoint, SAMA CSCC control 3.3.14 (Cloud Computing) and NCA ECC subdomain 4-2 (Cybersecurity Resilience Aspects of Cloud Computing) explicitly require continuous monitoring of cloud workload configurations and credential lifecycle controls. PDPL Article 19 imposes breach notification obligations within 72 hours when personal data is exposed — and stolen API keys leading to customer record exfiltration absolutely qualify. Boards should also note that the Stripe and Mailchimp targeting in PCPJack overlaps with PCI-DSS Requirement 8 scope for any payment-flow integrations.

Defensive Actions for the Next 30 Days

1. Audit all internet-exposed Docker, Redis, MongoDB, and Kubernetes API endpoints; require mTLS or private-link connectivity and remove public access by default.
2. Patch Next.js workloads to a version above the CVE-2025-29927 fix line, and inventory React-based admin panels for exposure to the React2Shell vulnerability.
3. Rotate all long-lived AWS access keys, GitHub tokens, Slack webhooks, and Stripe restricted keys; migrate to short-lived OIDC-issued credentials wherever your CI/CD platform supports it.
4. Deploy runtime agents — Falco, Sysdig Secure, or AWS GuardDuty Runtime Monitoring — that detect privileged container escapes and unusual cron writes on Redis hosts.
5. Block egress from production cloud subnets to Common Crawl S3 buckets and known PCPJack C2 ASNs published in the SentinelLabs IOC list.
6. Run a tabletop exercise simulating PCPJack-style credential theft and validate your SAMA CSCC incident notification timelines end-to-end.

The Bottom Line

PCPJack signals a maturing trend: opportunistic cloud worms that no longer just mine cryptocurrency but go directly after the credentials that unlock customer data, payment rails, and source code. For Saudi banks, the controls already exist on paper inside SAMA CSCC and NCA ECC — the question is whether the monitoring, key rotation, and exposure management practices are operationally tight enough to detect a worm that was specifically engineered to look like background internet noise.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on cloud workload exposure, secret management, and CI/CD pipeline hardening.