PCPJack, the stealthy successor to TeamPCP malware, now targets cloud secrets across AWS, Azure, and Google Cloud by exploiting parquet files for pre-validated reconnaissance. This evolution bypasses traditional detection, scanning environments without triggering endpoint alerts. Security researchers first spotted it replacing older TeamPCP variants, which relied on crude credential dumping. PCPJack’s innovation lies in its use of columnar parquet storage—optimized for big data queries—to embed target lists, enabling attackers to pivot silently between tenants.
Unlike predecessors that scanned indiscriminately, PCPJack arrives pre-loaded with validated assets. It queries cloud metadata services like AWS’s IMDSv2 or Azure’s instance metadata endpoint, cross-referencing against parquet payloads. This “pre-validation” cuts noise, focusing exfiltration on high-value secrets such as IAM keys, service tokens, and database credentials. Network defenders face a new paradigm: malware that doesn’t probe; it knows.
Parquet’s Role in Stealth
Parquet files, a format popularized by Apache for efficient data lakes, store compressed, columnar data with built-in schemas. PCPJack abuses this for target discovery:
- Embeds lists of resource ARNs, bucket names, or subscription IDs in schema metadata.
- Uses Arrow libraries (common in cloud analytics) to parse without custom loaders, blending into legitimate ETL jobs.
- Splits payloads across multiple tiny files (<1MB), evading file scanners tuned for executables.
This technique mirrors legitimate tools like Athena or Databricks, per Apache Parquet specs. Attackers likely harvest these from breached data warehouses, turning victim data against others. For IT pros, audit Spark jobs and S3 access logs for anomalous parquet reads.
Multi-Cloud Pivoting Tactics
PCPJack canvasses multiple cloud environments via federated auth. It starts in one provider, extracts cross-account roles, then hops:
- Leverages OIDC tokens for seamless Azure-to-AWS jumps.
- Queries GraphQL APIs in SaaS-integrated clouds for tenant graphs.
- Persists via Lambda functions or Azure Functions, scheduled to run post-exfil.
This demands zero local persistence, surviving restarts. Compare to NIST zero-trust guidelines, which emphasize least-privilege—but PCPJack exploits misconfigured service principals. Enterprises with hybrid setups see 2x faster compromise chains, as seen in recent campaigns.
Detection and Mitigation Steps
Spot PCPJack through behavioral anomalies:
- Monitor parquet file creations in temp directories via Sysmon or Falco.
- Enforce IMDSv2 require-activation and block unsigned metadata requests.
- Deploy CSPM tools like Prisma Cloud to flag anomalous role assumptions.
Integrate with advanced threat hunting workflows to baseline cloud API calls. Patch Arrow/Parquet parsers in analytics pipelines, and rotate secrets quarterly. For network engineers, segment VPC peering and enforce reconciliation audits matching inventory to access logs.
What This Means for You
PCPJack signals a shift: malware now weaponizes data formats against cloud ops. IT teams must treat analytics artifacts as attack vectors, not just storage. Implement runtime scanning for embedded payloads using YARA rules tuned for parquet headers. Forward-looking, expect variants targeting Iceberg or Delta Lake as data lakes grow.
In 2026 reports, multi-cloud breaches rose notably, underscoring urgency. Prioritize secrets management with HashiCorp Vault or AWS Secrets Manager, enforcing just-in-time access. Network pros: simulate pivots in purple-team exercises to harden perimeters.