PCPJack Hijacks 230 Cloud Servers for Covert SMTP Relay Network

A threat actor has quietly converted 230 business servers across AWS, Google Cloud, and Microsoft Azure into an underground email relay network. The operation, attributed to a group tracked as PCPJack, represents a shift from credential theft toward infrastructure-as-a-service for spam and phishing campaigns.

Hunt.io researchers discovered the operation after locating an unprotected command-and-control directory on a known PCPJack server. Twelve files sat exposed on port 8444 with no authentication required—including source code, compiled binaries, and deployment state logs that revealed the full scope of the operation.

From Credential Theft to Email Infrastructure

PCPJack first appeared on security researchers' radar in April 2026 when SentinelOne documented its credential theft framework targeting cloud services. What stood out was the malware's first action: evicting and deleting tools associated with TeamPCP, a competing threat actor that had compromised 60,000+ cloud servers since late 2025.

The SMTP relay operation discovered by Hunt.io shows PCPJack has expanded beyond simple credential harvesting. Compromised business servers across the U.S., Europe, and Asia were converted into email proxies, verified for mail relay capability, and synced to a downstream consumer every five minutes.

According to Hunt.io's analysis: "Whether for spam, phishing, or something else, the infrastructure to deliver at scale was clearly running."

How the Attack Chain Works

PCPJack's toolset combines several open-source offensive security tools into a cohesive deployment pipeline:

1. Initial access - Targeting misconfigured cloud services, exposed Docker APIs, and vulnerable Redis instances
2. Deployment - Sliver C2 client with integrated SMTP proxy deployment drops binaries as hidden files at /var/tmp/.xs
3. Tunneling - Chisel proxies for AMD64, ARM64, and x86 Linux architectures establish covert channels
4. Persistence - Cron entries or systemd services maintain access across reboots
5. Quality control - Diagnostic scripts verify SMTP gateway access by probing smtp.gmail.com:587

Hosts failing the SMTP relay check were marked as having "no value to the operation"—a brutally efficient triage system that prioritizes mail-capable infrastructure.

Technical Indicators

The deployment state file recovered by researchers confirms 230 successful installations in a single March 2026 deployment run. Each compromised host received:

• SOCKS5 proxy ports derived from MD5 hashes of Sliver UUIDs (range: 10000-14999)
• Exit IP enrichment via api.ipify.org and ip-api.com for geographic targeting
• Batch processing of 50 beacons at 25-minute intervals post-upload

Verified proxies sync every five minutes via SCP to a downstream server at 38.242.204.245, which was inaccessible when researchers attempted to investigate further.

Known infrastructure:

• C2 Server: 213.136.80.73
• Drop Path: /var/tmp/.xs
• Downstream: 38.242.204.245 (currently offline)

Why Attackers Want Your Cloud Servers

Clean IP addresses are valuable commodities in the criminal ecosystem. Email providers maintain reputation scores for sending IPs, and addresses belonging to legitimate businesses carry inherent trust that purpose-built spam servers lack.

A compromised corporate mail relay can bypass spam filters that would block known-bad infrastructure. The same principle applies to phishing campaigns—emails originating from a Fortune 500 company's cloud infrastructure reach inboxes that reject messages from bulletproof hosting.

This mirrors tactics we've seen in other recent malware campaigns targeting cloud infrastructure, where attackers prioritize long-term access over immediate monetization.

Detection and Response

Organizations running cloud workloads should audit for:

• Unexpected cron entries or systemd services with generic names
• Hidden files in /var/tmp/ or other world-writable directories
• Outbound SMTP traffic from servers not designated as mail relays
• Sliver or Chisel binaries on Linux hosts—neither belongs on production systems
• Connections to the IOC addresses listed above

Cloud security teams should also verify that Docker APIs, Kubernetes clusters, and Redis instances aren't exposed to the internet without authentication. PCPJack's reconnaissance targets the same low-hanging fruit that cryptocurrency-focused threat actors and cryptojacking campaigns have exploited for years.

The Bigger Picture

PCPJack's evolution from credential stealer to infrastructure provider suggests a maturing threat actor exploring multiple revenue streams. The decision to evict TeamPCP from compromised hosts—rather than coexist—indicates territorial behavior more common among established criminal groups than opportunistic script kiddies.

The exposed C2 directory was either careless opsec or deliberate misdirection. Either way, it gave researchers a rare window into the operational side of a cloud-focused threat campaign. Security teams should assume similar operations exist on infrastructure they haven't discovered yet.

Hunt.io notes the ultimate purpose of the SMTP network remains unclear. Spam, phishing, and business email compromise are the obvious candidates, but the infrastructure could support any email-dependent fraud operation at scale.