Security researchers at SentinelOne have identified a new strain of cloud-native malware that exhibits unprecedented autonomous behavior. Dubbed PCPJack, this worm is designed to target Docker, Kubernetes, and Redis instances. What makes it unique is its "predatory" subroutine: upon infecting a host, it actively scans for and removes rival malware—specifically those belonging to the TeamPCP hacking group—to ensure exclusive access to the system's resources.
Once PCPJack has "cleaned" the target environment, it performs a highly efficient credential harvesting operation. It targets AWS, Azure, and GCP metadata services to exfiltrate session tokens and API keys. The worm then utilizes these credentials to self-propagate across the victim's entire cloud organization, effectively turning a single container compromise into a cross-account takeover.
Defenders are urged to implement Runtime Security policies that alert on unusual exec commands within containers and monitor for anomalous outbound traffic to known TeamPCP C2 servers. The rise of predatory malware suggests that the "arms race" in cybersecurity has shifted from human-v-hacker to automated agent-v-agent competition within the cluster.