\n<\/p>\n
Regular internet users and corporations are not the only victims of malicious hackers. Sometimes, the hackers themselves get hacked.<\/p>\n
That is what happened in an unusual hacking campaign, where an unknown group of hackers targeted systems already compromised by a prolific cybercrime group known as TeamPCP. Once the hackers broke into those systems, they immediately kicked out TeamPCP hackers and removed their tools, according to a new report by cybersecurity firm SentinelOne.\u00a0<\/p>\n
From there, the hackers use their access to deploy code designed to replicate across different cloud infrastructure like a self-spreading worm, steal various types of credentials, and finally send the stolen data back to their infrastructure.<\/p>\n
TeamPCP is a cybercriminal group that has gathered headlines in the last few weeks, thanks to a series of high profile hacks attributed to the group. Those hacks have included a breach of the European Commission\u2019s cloud infrastructure, and a broadscale cyberattack against widely used vulnerability scanner tool Trivvy, which affected any company that relied on it, including LiteLLM and AI recruiting startup Mercor, among others.<\/p>\n
Alex Delamotte, the SentinelOne senior researcher who found the new hacking campaign and dubbed it \u201cPCPJack,\u201d told TechCrunch that it\u2019s not clear who is behind it. At this point, Delamotte said her three theories are that the hackers are either disgruntled ex-TeamPCP members; are part of a rival group; or a third party \u201cwho chose to directly model their attack tools on TeamPCP\u2019s earlier campaigns,\u201d many of which targeted cloud infrastructure.\u00a0<\/p>\n
\u201cThe services targeted by PCPJack strongly resemble the December-January TeamPCP campaigns, before the alleged change in group membership that happened in February-March,\u201d said Delamotte.\u00a0<\/p>\n
Delamotte also noted that the hackers don\u2019t just target systems compromised by TeamPCP, but they also scan the internet for exposed services such as the virtual machine cloud platform Docker, databases running MongoDB, and others. But SentinelOne said the group appeared largely focused on targeting TeamPCP.\u00a0\u00a0<\/p>\n
Techcrunch event<\/p>\n
\n\t\t\t\t\t\t\t\t\tSan Francisco, CA<\/span> According to the report, the hackers\u2019 own tools keep a tally of the number of hacked targets where they successfully evicted TeamPCP by sending this information back to its infrastructure.<\/p>\n The goals of the PCPJack hackers appear to be purely financial, as they steal credentials with a focus on monetizing them. The hackers do this by reselling them, selling access to the hacked systems as so-called initial access brokers \u2014 hackers who break into systems and then let paying customers into the hacked machines, or by extorting the victims directly. <\/p>\n The hackers, however, do not try to install software to mine crypto on the hacked systems, likely because that strategy requires more time to reap rewards, according to Delamotte.<\/p>\n As part of some of their attacks, the hackers are using domains that suggest they are phishing for password manager credentials, and using fake help desk websites, according to Delamotte.<\/p>\n<\/div>\n
\n\t\t\t\t\t\t\t\t\t\t\t\t\t|<\/span>
\n\t\t\t\t\t\t\t\t\t\t\t\t\tOctober 13-15, 2026<\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n