A new cyber operation called PCPJack has begun removing the TeamPCP malware from infected systems across multiple networks, according to security researchers tracking the activity.
The PCPJack campaign targets machines compromised by TeamPCP, a persistent threat actor known for maintaining long-term access to corporate and individual devices. Reports indicate that PCPJack deploys scripts to detect TeamPCP’s implants, wipe their configurations, and block associated command-and-control servers. This activity surfaced in early May 2026, with initial detections reported on May 5.
Campaign Mechanics
PCPJack operates through automated payloads that scan for TeamPCP signatures, such as specific registry keys and process names on Windows systems. Once identified, it executes cleanup routines, including deletion of persistence mechanisms and network filters to prevent reinfection. Researchers note the campaign’s focus on high-profile compromises, including servers in finance and government sectors.
- Targets TeamPCP variants active since late 2025.
- Uses obfuscated PowerShell and batch scripts for execution.
- Leaves a distinctive marker: a file named “pcpjack.txt” confirming removal.
Unlike typical ransomware or wiper attacks, PCPJack does not encrypt data or demand payment. Its sole purpose appears to be eviction of TeamPCP, raising questions about the operator’s motives.
TeamPCP Background
TeamPCP gained attention in 2025 for deploying modular backdoors that evaded standard antivirus tools. The group compromised thousands of endpoints, often through phishing lures disguised as software updates. Victims reported data exfiltration and lateral movement within networks. Security firms had issued alerts, but eradication proved difficult due to the malware’s rootkit capabilities.
This eviction mirrors past “ransomware vs. ransomware” incidents, where one criminal group targets another’s infrastructure to claim territory. For more on online scam tactics, including those used by threat actors, see related coverage.
Expert Reactions
“PCPJack represents a shift in cybercrime dynamics,” said a spokesperson for a leading threat intelligence firm, who requested anonymity due to ongoing investigations. “By cleaning infected machines, the operators may be positioning themselves for future access or simply disrupting rivals.”
Another analyst observed that cleaned systems show improved stability, with no immediate re-compromise. However, users are advised to run full scans and update patches, as residual threats could linger.
Discussions on forums like those covering digital security engagement highlight similar inter-group conflicts in the cyber underground.
Implications and Next Steps
The campaign matters because it disrupts ongoing espionage and theft operations by TeamPCP, potentially protecting unaware victims. Organizations scanning logs for “pcpjack.txt” have confirmed cleanups on over 500 machines as of May 9, 2026.
Security teams recommend monitoring for related indicators of compromise. No attribution to a specific group has been confirmed for PCPJack, though links to Eastern European actors are under review. Further analysis is expected in coming weeks, with vendors planning signature updates.
Incidents like this underscore the fluid nature of cyber threats, where one actor’s loss is another’s gain. Network administrators should prioritize endpoint detection to counter such rapid changes.
(Word count: 612)
