Hackers hack victims hacked by other hackers
Source: TechCrunch
Regular internet users and corporations are not the only victims of malicious hackers. Sometimes, the hackers themselves get hacked.
The PCPJack Campaign
An unknown group of hackers targeted systems already compromised by the prolific cybercrime group TeamPCP. After breaking into those systems, they immediately evicted the TeamPCP actors and removed their tools, according to a new report by cybersecurity firm SentinelOne.
From there, the attackers used their access to deploy code designed to replicate across different cloud infrastructures like a self‑spreading worm, steal various types of credentials, and send the stolen data back to their own infrastructure.
According to the report, the hackers’ tools keep a tally of the number of compromised targets where they successfully evicted TeamPCP, sending this information back to their own servers.
Background on TeamPCP
TeamPCP is a cyber‑criminal group that has gathered headlines in recent weeks thanks to a series of high‑profile hacks attributed to the group, including:
- A breach of the European Commission’s cloud infrastructure – TechCrunch
- A broad‑scale cyberattack against the widely used vulnerability‑scanner tool Trivy, which affected any company that relied on it, including LiteLLM and AI recruiting startup Mercor – Ars Technica, TechCrunch
Who Is Behind PCPJack?
Alex Delamotte, a senior researcher at SentinelOne who discovered the campaign and dubbed it “PCPJack,” told TechCrunch that the perpetrators are unknown. She outlined three possible motivations:
- Disgruntled ex‑TeamPCP members
- A rival hacking group
- A third party that deliberately modeled its tools on TeamPCP’s earlier cloud‑infrastructure campaigns
“The services targeted by PCPJack strongly resemble the December‑January TeamPCP campaigns, before the alleged change in group membership that happened in February‑March,” Delamotte said.
The group also scans the internet for exposed services such as Docker virtual‑machine platforms, MongoDB databases, and others, though SentinelOne notes that the primary focus remains on systems previously compromised by TeamPCP.
Motivations and Tactics
- Financial gain: The attackers steal credentials to monetize them—either by reselling the data, selling access to the compromised systems as “initial access brokers,” or by extorting victims directly.
- No crypto mining: The group does not install cryptocurrency‑mining software, likely because that strategy requires more time to generate rewards.
- Phishing for password managers: Some attacks involve domains that appear to be phishing for password‑manager credentials and fake help‑desk websites.
These tactics suggest a purely profit‑driven operation that leverages the chaos created by the original TeamPCP intrusion.