Hackers hack victims hacked by other hackers

An unidentified hacking group, labeled PCPJack by cybersecurity firm SentinelOne, has launched a campaign targeting systems already compromised by the cybercrime group TeamPCP. Once infiltrated, the attackers forcibly removed TeamPCP’s tools and infrastructure, deploying their own code designed to spread across cloud environments like a self-replicating worm. Their primary objective is credential theft, which they monetize by reselling or offering access to compromised systems as a service. TeamPCP has previously gained attention for high-profile breaches, including a 2026 attack on the European Commission’s cloud infrastructure and a supply-chain compromise of the widely used vulnerability scanner Trivvy. The fallout from the Trivvy breach affected companies like AI recruiting startup Mercor and open-source project LiteLLM. SentinelOne researcher Alex Delamotte noted that PCPJack’s targets align with TeamPCP’s earlier cloud-focused campaigns, suggesting a deliberate replication of tactics. Delamotte proposed three theories about PCPJack’s origins: disgruntled former TeamPCP members, a rival hacking group, or a third party emulating TeamPCP’s methods. The attackers also scan for exposed services like Docker and MongoDB databases, though their focus remains primarily on evicting TeamPCP. Their tools track successful evictions, sending data back to their infrastructure to document compromised targets. The financial motive is clear—PCPJack steals credentials to resell or broker initial access to hacked systems. Unlike TeamPCP’s broader attacks, PCPJack appears narrowly focused on undermining its predecessor while capitalizing on the stolen data. The campaign underscores the competitive and opportunistic nature of cybercrime, where even hackers become targets in an ongoing battle for control of compromised infrastructure.