PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network
A sophisticated threat actor known as PCPJack has established a large-scale covert email relay network by hijacking over 230 cloud servers across Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. The operation was exposed in 2026 after the group inadvertently left critical infrastructure directories unprotected, allowing researchers to fully reconstruct their toolkit and methodology.
The Discovery: An Operational Windfall
Hunt.io researchers discovered the network after PCPJack failed to secure authentication on a command-and-control (C2) server. This misconfiguration exposed a complete 12-file toolkit, including source code, compiled binaries, deployment logs, internet scanners, and a live Sliver configuration. This level of exposure is rare, providing defenders with a complete blueprint of the adversary's infrastructure.
Infrastructure and Modus Operandi
The compromised servers, located across the U.S., Europe, and Asia, were converted into SMTP proxies. The operation was highly automated:
- Verification Daemon: A custom daemon tested each SMTP tunnel every 60 seconds against smtp.gmail.com:587 to ensure only active, functional proxies remained in the pool - Synchronization: Proxy lists were synchronized with a downstream consumer every five minutes, enabling rapid deployment of anonymous email campaigns - Tunneling Tools: The group utilized Sliver implants for persistent access and Chisel SOCKS5 tunnels to route traffic securely through compromised hosts
PCPJack: From Credential Theft to Worm-Like Propagation
First identified by SentinelOne in April 2026, PCPJack initially gained notoriety as a credential theft framework targeting cloud services. However, their capabilities have evolved. The group now employs a worm-like propagation mechanism that exploits multiple known vulnerabilities to spread autonomously across cloud environments.
Notably, PCPJack's framework includes logic to terminate and remove processes associated with TeamPCP, a rival hacking group. This "turf war" behavior indicates a high level of sophistication and a desire for exclusive control over compromised resources.
Strategic Implications for Cloud Security
This incident underscores three critical challenges in modern cloud defense:
1. The Danger of Misconfiguration: A single unauthenticated directory on a C2 server led to the total exposure of a 230-node botnet. Conversely, a single misconfigured cloud server can provide attackers with a trusted IP address capable of bypassing many reputation-based filters.
2. Trusted Infrastructure Abuse: By hijacking servers from major providers like AWS and Azure, attackers inherit the trust reputation of those IPs. This makes detecting malicious traffic significantly harder, as emails originating from these IPs are less likely to be flagged as spam.
Defensive Recommendations
Cloud administrators should prioritize these actions:
- Audit Outbound SMTP: Monitor for unusual SMTP traffic (port 587/465) originating from cloud instances that do not require email functionality - Restrict Security Groups: Ensure cloud firewalls do not allow unrestricted outbound access to SMTP ports unless explicitly required - Scan for Implants: Use EDR solutions capable of detecting Sliver implants and Chisel tunneling activity, which often masquerade as legitimate system processes - Patch Management: Given PCPJack's worm-like exploitation of known CVEs, rapid patching of cloud-facing vulnerabilities is essential to prevent initial compromise
The Bottom Line
The takedown of PCPJack's SMTP network is a victory for threat intelligence, but it also serves as a warning. As cloud providers become the backbone of global communication, their infrastructure will remain a prime target for hijacking. For defenders, the lesson is clear: visibility into outbound traffic and strict configuration management are no longer optional—they are the primary defenses against becoming an unwitting participant in a global relay network.
