Hackers Hack Hackers: The PCPJack Campaign Kicks TeamPCP Out of Breached Systems

Cybercriminals usually target companies and individuals. But sometimes, they target each other. A new campaign, dubbed "PCPJack" by SentinelOne, does exactly that: an unknown group breaks into systems already compromised by the prolific TeamPCP group, kicks them out, and steals credentials for profit.

What Is PCPJack?

SentinelOne senior researcher Alex Delamotte discovered the campaign. The attackers scan the internet for systems previously breached by TeamPCP, then gain access using stolen credentials or exploits. Once inside, they immediately evict TeamPCP's tools and establish their own persistence. They deploy a self-spreading worm that propagates across cloud infrastructure—Docker, MongoDB, and other exposed services. The worm steals credentials and sends them back to the attackers' infrastructure.

Who Is TeamPCP?

TeamPCP is a cybercrime group that made headlines recently for high-profile breaches, including the European Commission's cloud infrastructure and a broad attack on the vulnerability scanner Trivvy. That attack affected companies like LiteLLM and AI recruiting startup Mercor. TeamPCP's tools and tactics are well-known, which makes them a prime target for rival hackers.

Theories Behind PCPJack

Delamotte has three theories about who is behind PCPJack:

  1. Disgruntled ex-TeamPCP members – Someone who left the group and wants to undermine them.
  2. A rival cybercrime group – Competing for the same hacked systems and access.
  3. A third party mimicking TeamPCP – Someone who modeled their attack tools on TeamPCP's earlier campaigns from December-January, before an alleged change in group membership around February-March.

What Are the Attackers After?

Money. Pure and simple. The stolen credentials are monetized through:

  • Reselling them on dark web markets.
  • Selling access to the compromised systems as an initial access broker.
  • Extorting victims directly.

Notably, they avoid crypto mining—it takes too long to pay off. Instead, they focus on quick financial gain.

Technical Details

The attackers use domains that mimic password manager login pages and fake help desk websites to phish for credentials. Their tools include a tally counter that reports back how many systems they've successfully evicted TeamPCP from—a bizarre metric of success.

What This Means for Developers

If you or your organization were hit by TeamPCP, you might have a second intruder. The PCPJack campaign doesn't just target TeamPCP's victims; it scans for exposed services broadly. But its primary focus is on systems where TeamPCP already gained a foothold.

Next Steps

  • Patch and rotate credentials immediately if you suspect any TeamPCP-related breach.
  • Monitor for unusual Docker or MongoDB access from unknown IPs.
  • Check for phishing domains mimicking your password manager or help desk.
  • Assume breach if you were affected by the Trivvy attack or European Commission breach.

PCPJack proves that even hackers get hacked. And when they do, the fallout can hit you twice.