PCPJack Abuses Cloud Servers to Build Covert SMTP Relay Network
The threat actor PCPJack has compromised over 230 AWS, Google Cloud, and Azure servers to establish a clandestine SMTP relay network for malicious email distribution.
A sophisticated threat actor known as PCPJack has been discovered hijacking cloud infrastructure from major providers like Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. The objective of this operation is to construct a covert network of SMTP proxies, enabling the covert relay of emails at scale. Security researchers at Hunt.io identified that compromised business servers across the United States, Europe, and Asia were systematically converted into these SMTP proxies.
The compromised servers were not only repurposed but also actively verified for their mail relay capabilities. This verification process ensured that the proxies could effectively send emails, and the list of active proxies was synchronized to a downstream consumer every five minutes. The infrastructure was found to be fully operational at the time of discovery, indicating a well-established and ongoing campaign.
During their investigation, Hunt.io uncovered a wealth of operational data left exposed on a command-and-control (C2) server. This included source code, compiled binaries, deployment logs, internet scanning tools, exploitation utilities, and a live configuration for Sliver, a popular legitimate remote access tool often misused by threat actors. The discovery was made possible because the threat actor left two directories on the C2 server, located at "213.136.80[.]73", completely unprotected and accessible.
PCPJack first came to the attention of security researchers in April 2026 when SentinelOne identified a credential theft framework specifically targeting cloud services. This group also demonstrated a connection to TeamPCP, another notable hacking collective known for its involvement in software supply chain attacks. The use of Sliver suggests a sophisticated approach, leveraging existing tools for malicious purposes.
The deployment toolkit found on the C2 server contained Sliver-integrated SMTP proxy binaries, along with Chisel tunneling and proxy utilities compiled for various Linux architectures. On the victim machines, the malicious binary was disguised as a hidden file, typically named ".xs" and persisted in the /var/tmp directory. The toolkit also included deployer scripts designed to load the Sliver C2 client configuration and filter for active beacons, which are implants that periodically communicate with the C2 server.
A critical component of the operation is an SMTP quality gate, implemented within the deployer scripts. This gate probes for outbound access to smtp.gmail[.]com on port 587. Servers that fail this test are discarded, ensuring that only functional mail relays are added to the network. This meticulous filtering underscores the campaign's specific focus on building a robust email relay infrastructure.
Subsequent analysis revealed that later versions of the deployer scripts had removed the SMTP gate and batching logic, suggesting an evolution in the threat actor's tactics. Diagnostic scripts were also present, designed to check for the presence of Chisel binaries, running Chisel processes, sufficient disk space, network connectivity to the C2 server, and persistence artifacts. A Python script, "chisel_verifier.py", ran as a background daemon on the C2 server, continuously scanning for active Chisel tunnels, testing them for SMTP capability, and maintaining an updated pool of verified proxies.
Verified proxies were enriched with their exit IP address, country, and Autonomous System Number (ASN) using public services. This information was then synchronized every five minutes via SCP to a separate, currently inaccessible, downstream server. While the ultimate goal of this extensive SMTP relay network remains unclear, the infrastructure's scale—comprising at least 230 nodes—points towards large-scale malicious email operations, such as spam, phishing, or other forms of unsolicited communication.