The threat actor known as PCPJack hijacked 230 cloud servers tied to AWS, Google Cloud and Microsoft Azure to build a covert SMTP email relay network, according to a technical analysis from Hunt.io. The campaign used compromised business systems across the U.S., Europe and Asia, and the infrastructure was still active when researchers found it.
KEY FACTS
- Scope 230 cloud servers were converted into SMTP proxies.
- Infrastructure The operation used Sliver, Chisel and Linux proxy binaries.
- Persistence One dropped binary was stored as /var/tmp/.xs.
- Control Open directories on a C2 server exposed source code, logs and tooling.
The report said the exposed material included compiled binaries, deployment state logs, internet scanners, exploitation tools and a live Sliver configuration. The C2 server, identified as 213.136.80.73, had two open directories with no authentication.
PCPJack was first identified in April 2026 by SentinelOne, which linked it to credential theft activity focused on cloud services. The group also appeared to take steps to terminate or remove processes and artifacts tied to TeamPCP, another hacking group associated with software supply chain attacks.
Research files showed an SMTP proxy deployment toolkit that used Chisel tunneling and proxy binaries for AMD64, ARM64 and x86 Linux systems. The scripts also checked whether hosts could reach smtp.gmail.com on port 587 before adding them to the relay pool.
Later versions removed the SMTP gate and batching logic, while a diagnostic script tested for Chisel binaries, running processes, disk space, port 9000 access on the C2 server and common persistence artifacts. The C2 also ran a background script that verified active tunnels, removed failed ones and enriched proxy records with IP, country and ASN data before syncing lists every five minutes to a downstream server.
WHY IT MATTERS
The case shows how compromised cloud servers can be turned into a managed relay network that may support spam, phishing or other mass-email abuse. The exact end use remains unclear, but the scale and automation suggest an operation built to move email traffic at volume.