PCPJack Malware: Stealing Cloud Secrets via Parquet File Discovery

The landscape of cloud-focused threats continues to shift as adversaries refine their TTP to evade traditional security controls. A new successor to the TeamPCP malware, dubbed PCPJack, has surfaced with a specialized focus on harvesting credentials from multi-cloud environments. According to Dark Reading, this malware utilizes innovative techniques involving Apache Parquet files to maintain stealth during the discovery phase of an attack.

Evolution of Cloud Credential Theft: From TeamPCP to PCPJack

PCPJack represents a significant iteration over its predecessor, TeamPCP. While earlier versions focused on basic information gathering, PCPJack is optimized for the speed and scale of modern cloud infrastructure. The primary objective of the malware is the collection of sensitive secrets, including API keys, tokens, and environment variables that grant access to Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

When a threat actor gains an initial foothold, PCPJack is deployed to scan the filesystem for specific configuration files associated with cloud CLI tools and SDKs. The loss of these credentials often leads to Lateral Movement within the cloud control plane, allowing attackers to provision resources, exfiltrate data, or disrupt services. Unlike older malware families that used noisy scanning techniques, PCPJack’s reliance on structured file formats allows it to blend in with legitimate administrative data processing activities, complicating the task for the SOC.

PCPJack Malware Parquet File Analysis and Stealth

A defining characteristic of this threat is the use of Apache Parquet files for target discovery and pre-validation. Parquet is a columnar storage file format often used in big data environments. Because many EDR solutions are optimized to scan common text-based configuration files (like .env, .json, or .yaml), the use of a binary-oriented, compressed format like Parquet can bypass simple signature-based detection.

By packaging discovered secrets into these files, the malware can efficiently organize large volumes of stolen data before exfiltration. Security teams performing a [PCPJack malware parquet file analysis] should look for unusual file creation events involving Parquet extensions in directories that do not typically host big data workloads, such as user home directories or application configuration folders. This technique highlights a growing trend where malware authors leverage legitimate developer tools to mask malicious intent.

Detection and Cloud Secret Theft Mitigation

To effectively [detect PCPJack malware cloud theft], organizations must move beyond static file hashing. Since the malware is designed to harvest credentials that facilitate further access, monitoring the behavior of cloud service accounts is paramount. Defenders should integrate cloud provider logs into their SIEM to identify anomalous API calls that originate from unexpected internal IP addresses.

Effective [cloud secret theft mitigation] requires a defense-in-depth approach. First, organizations should transition from static credentials to short-lived, identity-based access tokens. Second, file integrity monitoring should be configured to alert on the modification or creation of Parquet files in non-standard locations. Finally, the principle of least privilege must be enforced to ensure that even if PCPJack successfully harvests a token, the potential for damage is limited to the specific scope of that identity. Continuous auditing of the MITRE ATT&CK techniques associated with credential access will help teams stay ahead of this evolving threat.