{ "type": "URL", "indicator": "https://cdn.cloudfront-js.com:8443/u", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cdn.cloudfront-js.com:8443/u", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4348588344, "indicator": "https://cdn.cloudfront-js.com:8443/u", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69fd0520d3687243cca2f973", "name": "PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale", "description": "PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.", "modified": "2026-05-08T09:06:31.769000", "created": "2026-05-07T21:33:20.146000", "tags": [ "kubernetes exploitation", "docker compromise", "pcpjack", "sliver", "teampcp", "container worm" ], "references": [ "https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PCPJack", "display_name": "PCPJack", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1613", "name": "Container and Resource Discovery", "display_name": "T1613 - Container and Resource Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 1, "FileHash-SHA1": 12, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01c1b69e22786783aec606", "name": "PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne", "description": "SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.", "modified": "2026-05-11T11:47:02.550000", "created": "2026-05-11T11:47:02.550000", "tags": [ "teampcp", "pcpjack", "docker", "redis", "mongodb", "kubernetes", "rayml", "telegram", "python", "propagation", "april", "find", "download", "theft", "extractor", "internal", "cloud", "teamtnt", "discord", "xmrig", "vect", "c2", "docker api" ], "references": [ "https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VECT", "display_name": "VECT", "target": null }, { "id": "C2", "display_name": "C2", "target": null }, { "id": "Docker API", "display_name": "Docker API", "target": null } ], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [ "Technology", "Financial", "Pharmaceuticals", "Telecom" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 11, "CVE": 5, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01602e7960dd5e5c40421e", "name": "PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale", "description": "", "modified": "2026-05-11T04:50:54.890000", "created": "2026-05-11T04:50:54.890000", "tags": [ "kubernetes exploitation", "docker compromise", "pcpjack", "sliver", "teampcp", "container worm" ], "references": [ "https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PCPJack", "display_name": "PCPJack", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1613", "name": "Container and Resource Discovery", "display_name": "T1613 - Container and Resource Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [], "TLP": "white", "cloned_from": "69fd0520d3687243cca2f973", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 1, "FileHash-SHA1": 12, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/", "IOCs.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Sliver", "Pcpjack" ], "industries": [], "unique_indicators": 22 }, "other": { "adversary": [ "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053" ], "malware_families": [ "Vect", "Pcpjack", "Sliver", "C2", "Docker api" ], "industries": [ "Telecom", "Technology", "Financial", "Pharmaceuticals" ], "unique_indicators": 1068 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudfront-js.com", "whois": "http://whois.domaintools.com/cloudfront-js.com", "domain": "cloudfront-js.com", "hostname": "cdn.cloudfront-js.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69fd0520d3687243cca2f973", "name": "PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale", "description": "PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.", "modified": "2026-05-08T09:06:31.769000", "created": "2026-05-07T21:33:20.146000", "tags": [ "kubernetes exploitation", "docker compromise", "pcpjack", "sliver", "teampcp", "container worm" ], "references": [ "https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PCPJack", "display_name": "PCPJack", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1613", "name": "Container and Resource Discovery", "display_name": "T1613 - Container and Resource Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 1, "FileHash-SHA1": 12, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386463, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01c1b69e22786783aec606", "name": "PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale | SentinelOne", "description": "SentinelLABS has identified PCPJack, a toolset dedicated to stealing data from exposed cloud services and propagating the malware on other systems, as part of an ongoing cyber-attack campaign.", "modified": "2026-05-11T11:47:02.550000", "created": "2026-05-11T11:47:02.550000", "tags": [ "teampcp", "pcpjack", "docker", "redis", "mongodb", "kubernetes", "rayml", "telegram", "python", "propagation", "april", "find", "download", "theft", "extractor", "internal", "cloud", "teamtnt", "discord", "xmrig", "vect", "c2", "docker api" ], "references": [ "https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "VECT", "display_name": "VECT", "target": null }, { "id": "C2", "display_name": "C2", "target": null }, { "id": "Docker API", "display_name": "Docker API", "target": null } ], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" } ], "industries": [ "Technology", "Financial", "Pharmaceuticals", "Telecom" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 11, "CVE": 5, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 12, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a01602e7960dd5e5c40421e", "name": "PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale", "description": "", "modified": "2026-05-11T04:50:54.890000", "created": "2026-05-11T04:50:54.890000", "tags": [ "kubernetes exploitation", "docker compromise", "pcpjack", "sliver", "teampcp", "container worm" ], "references": [ "https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PCPJack", "display_name": "PCPJack", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1613", "name": "Container and Resource Discovery", "display_name": "T1613 - Container and Resource Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1053.003", "name": "Cron", "display_name": "T1053.003 - Cron" }, { "id": "T1021.004", "name": "SSH", "display_name": "T1021.004 - SSH" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1525", "name": "Implant Internal Image", "display_name": "T1525 - Implant Internal Image" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1543.002", "name": "Systemd Service", "display_name": "T1543.002 - Systemd Service" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [], "TLP": "white", "cloned_from": "69fd0520d3687243cca2f973", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 1, "FileHash-SHA1": 12, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cdn.cloudfront-js.com:8443/u", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cdn.cloudfront-js.com:8443/u", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780190907.6783035 }