A sophisticated, highly territorial cloud-native threat has emerged, targeting unsecured developer and deployment tools across public cloud environments. Officially cataloged as the Cloud AI Infrastructure Attack Framework (CAI), this new worm utilizes LLM-assisted code generation to dynamically compile payloads and exploit exposed APIs. Once inside, the worm steals cloud provider credentials, deploys cryptocurrency mining software, and actively evicts rival botnets—including the prominent PCPJack and TeamPCP malware—to monopolize server resources.

The Evolution of the Cloud Malware Turf War
Cloud-native resources (specifically exposed developer endpoints, staging clusters, and unpatched dashboard interfaces) have long been prime targets for automated scanners looking to hijack compute capacity. Traditionally, compromise resulted in the deployment of basic Monero miners or static remote access trojans (RATs).
However, as cloud infrastructure expanded to support machine learning frameworks, AI agent sandboxes, and vector databases, malware groups evolved. Hacking collectives began deploying "territorial" malware designed to scan infected systems for competitor files, kill competing processes, and secure the compromised environment for their own use.
The CAI framework represents the latest step in this turf war. Unlike basic script-kiddie tools, CAI is a modular attack suite that dynamically adjusts its payload based on the targeted server's environment. Security analysts tracking the campaign have observed a significant rise in compromised staging instances running Docker daemon sockets, Redis databases, Kubernetes Kubelets, and exposed Ray dashboards.
Anatomy of the CAI Cloud Worm Attack
The CAI worm executes a multi-stage attack lifecycle designed to achieve remote code execution (RCE), harvest credentials, deploy miners, and secure system resources:
1. Target Scanning & RCE Exploitation
The worm continually scans the public internet and local network subnets for exposed management ports:
- Docker API: TCP port 2375 (unauthenticated daemon access).
- Kubernetes Kubelet/etcd: TCP ports 10250 and 2379.
- Redis: TCP port 6379 (exposed without passwords).
- Ray Dashboard: TCP port 8265 (frequently left open on AI training nodes).
Upon discovering an exposed port, CAI sends a targeted exploit payload to achieve initial execution in a high-privilege container.
2. LLM-Assisted Dynamic Payload Compiling
Once initial execution is achieved, CAI runs a localized reconnaissance script. This script gathers details about the host's operating system, kernel version, CPU architecture, and active security agents.
Rather than downloading a static binary from a repository—which would trigger automated signature detection rules—the worm contacts its command-and-control (C2) server. Security researchers have found that the C2 server uses an integrated LLM backend to dynamically write and compile a custom shellcode binary optimized for the target host's specific configuration. This LLM-assisted malware generation allows the worm to evade traditional file-signature-based antivirus scanners.
3. Competitor Eviction (The Turf War)
After establishing persistence, CAI initiates a cleanup routine. The worm scans the host's active process list, network connections, and cron jobs for known competitor signatures, specifically targeting files associated with TeamPCP and the PCPJack toolset.
Any rival mining scripts are terminated, their configurations deleted, and the ports they used are bound to local loopback addresses to prevent reinfection.
4. Cryptomining and Credential Harvesting
With the host cleared of rivals, CAI deploys a resource-constrained Monero (XMR) miner. Unlike older malware that immediately consumed 100% of CPU capacity—triggering cloud provider alerts—CAI dynamically limits its CPU utilization (typically to 45–60%), allowing it to run undetected in the background for longer periods.
Simultaneously, the worm harvests credentials from the host, looking for:
- AWS, Azure, and Google Cloud CLI configuration files (
~/.aws/credentials). - Git configuration files and SSH keys.
- Environment variables containing API keys, database passwords, or Web3 wallet private keys.
These credentials are encrypted and exfiltrated to the C2 server, providing the attackers with access to the victim's broader cloud organization.

CAI Worm vs. PCPJack vs. TeamPCP
The turf war highlights the key differences between these competing malware families:
| Capability | TeamPCP | PCPJack | CAI Cloud Worm |
|---|---|---|---|
| Target Vector | Unsecured databases | Exposed Docker APIs | Docker, Kubernetes, Redis, Ray |
| Primary Payload | Monero Cryptominer | Credential harvester | Cryptominer + Credential thief |
| AI Integration | None (Static shell scripts) | None | LLM-assisted shellcode compiler |
| CPU Consumption | 100% (High visibility) | None (Low visibility) | 45-60% (Dynamic throttle) |
| Competitor Eviction | Minimal | Evicts TeamPCP | Purges both PCPJack and TeamPCP |
While the original PCPJack campaign focused entirely on credential harvesting without deploying cryptominers, the CAI worm combines both tactics. It uses automated competitor eviction to secure the host's CPU cycles for mining, while exfiltrating credentials to fund future infrastructure attacks.

Mitigation Guidelines for Platform Engineering Teams
To protect cloud infrastructure from the CAI worm and related botnets, engineering teams should implement the following security measures:
Disable Public Ports: Ensure that Docker APIs (2375), Redis endpoints (6379), Kubernetes etcd (2379), and Ray dashboards (8265) are not exposed to the public internet. Use Virtual Private Clouds (VPCs), security groups, and local firewalls to restrict access to trusted internal IP ranges.
Audit Staging and Sandbox Instances: The rise of autonomous developer environments and sandbox runtimes (such as Windsurf and Devin Desktop platforms) often leads to staging instances being spun up with loose security configurations. Audit these instances regularly to ensure they follow corporate security baselines.
Implement Runtime Threat Detection: Deploy agent-based runtime protection (like Sysdig Falco or AWS GuardDuty) on Kubernetes nodes and container hosts. Look for alerts signaling:
- Unexpected shell executions inside containers.
- Outbound connections to known cryptomining pools.
- Cryptomining signatures (such as Sysdig’s JadePuffer analysis, discussed in the JadePuffer ransomware threat report).
Rotate Cloud Credentials regularly: Use IAM roles, temporary service account tokens, and automated secrets rotation to limit the utility of exfiltrated credentials. If AWS config files are leaked, immediately invalidate the associated access keys.
Sources: The Register Cyber Crime Exclusive · Cybersecurity Threat Reports July 2026