An unknown hacking group is breaking into computer systems already compromised by the cybercrime group TeamPCP — then evicting TeamPCP and removing its tools before conducting their own attacks. Cybersecurity firm SentinelOne published a report on the campaign in May 2026, dubbing it “PCPJack.”
Once inside a victim’s system, the PCPJack hackers deploy self-spreading code designed to replicate across cloud infrastructure, steal credentials, and send the stolen data back to their own servers. Their tools even keep a running tally of systems where they successfully removed TeamPCP. The hackers’ goals appear to be financial: they monetize stolen credentials by reselling them, selling system access as initial access brokers, or extorting victims directly. They do not appear to install crypto-mining software, likely because that approach takes longer to generate returns.
TeamPCP is a prolific cybercriminal group linked to several high-profile breaches in recent weeks, including an intrusion into the European Commission’s cloud infrastructure and a broad cyberattack against vulnerability scanner tool Trivvy that affected companies including LiteLLM and AI recruiting startup Mercor.
Alex Delamotte, the SentinelOne senior researcher who identified PCPJack, told TechCrunch that the group’s identity remains unclear. She outlined three possibilities: the hackers could be disgruntled former TeamPCP members, a rival group, or a third party that modeled their tools on TeamPCP’s earlier campaigns. “The services targeted by PCPJack strongly resemble the December-January TeamPCP campaigns, before the alleged change in group membership that happened in February-March,” Delamotte said.
While PCPJack is primarily focused on TeamPCP-compromised systems, the group also scans the internet for independently exposed services, including Docker and MongoDB. Some attacks involve domains apparently designed to phish for password manager credentials and fake help desk websites.
Source: TechCrunch