Full Report
The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network. "Compromised business servers across the U.S., Europe, and Asia were quietly converted into SMTP proxies, verified for mail relay capability, and synced to a downstream consumer every five minutes," Hunt.io said in
Analysis Summary
# Incident Report: PCPJack Hijacked Cloud Infrastructure for SMTP Relay
## Executive Summary
The threat actor known as PCPJack compromised approximately 230 cloud servers across AWS, Google Cloud, and Microsoft Azure to build a global SMTP email relay network. The attacker utilized the Sliver C2 framework and Chisel tunneling to convert business servers into hidden proxies. This infrastructure was used to verify mail relay capabilities and sync active proxies to a downstream consumer for potential large-scale phishing or spam operations.
## Incident Details
- **Discovery Date:** June 2026 (publicly reported)
- **Incident Date:** Persistent through April–June 2026
- **Affected Organization:** Multiple (estimated 230 servers)
- **Sector:** Cross-industry (affected business servers)
- **Geography:** U.S., Europe, and Asia
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026 (earliest identified activity)
- **Vector:** Credential theft framework targeting cloud services.
- **Details:** The attacker utilized a specific framework designed to steal cloud credentials and move laterally into virtual machine instances.
### Lateral Movement
- **Techniques:** Deployment of Sliver C2 beacons and automated scripts to propagate across Linux-based cloud instances in AWS, GCP, and Azure.
### Data Exfiltration/Impact
- **Impact:** 230 servers converted into SMTP proxies and SOCKS5 tunnels. Verified proxy lists were synced via SCP every five minutes to a downstream consumer at `38.242.204[.]245`.
### Detection & Response
- **Discovery:** Hunt.io discovered the operation after the actor left two open directories on a C2 server (`213.136.80[.]73`) without authentication.
- **Response Actions:** Analysis of C2 source code, binaries, and deployment logs; identification of the downstream data consumer.
## Attack Methodology
- **Initial Access:** Cloud-specific credential theft.
- **Persistence:** Implementation of cron entries and systemd services; use of dot-prefixed hidden files (e.g., `/var/tmp/.xs`).
- **Privilege Escalation:** Not explicitly detailed, but required for systemd/cron persistence.
- **Defense Evasion:** Termination of processes belonging to rival groups (TeamPCP); use of hidden files; automated removal of failed tunnels to keep a "clean" footprint.
- **Credential Access:** The "PCPJack" framework specifically targets cloud-service credentials.
- **Discovery:** Diagnostic scripts checking disk space, process lists, and port reachability (Port 9000).
- **Lateral Movement:** Chisel tunneling and proxying across AMD64, ARM64, and x86 architectures.
- **Collection:** Automated verification of SMTP relay capability using `smtp.gmail[.]com:587`.
- **Exfiltration:** SCP sync of verified proxy lists and metadata (IP, Country, ASN).
- **Impact:** Forced use of legitimate business infrastructure for malicious email distribution.
## Impact Assessment
- **Financial:** Incremental costs from unauthorized cloud resource usage and bandwidth.
- **Data Breach:** Risk of credential leakage from compromised management consoles.
- **Operational:** Diversion of system resources to support the actor’s SMTP proxy network.
- **Reputational:** High risk; organization IPs could be blacklisted globally as sources of spam or phishing.
## Indicators of Compromise
- **Network Indicators:**
- `213.136.80[.]73` (Primary C2)
- `38.242.204[.]245` (Downstream Sync Server)
- Outbound connections to `api.ipify[.]org` and `ip-api[.]com` from servers.
- **File Indicators:**
- `/var/tmp/.xs` (Hidden binary)
- Presence of "Chisel" or "Sliver" binaries in unusual paths.
- **Behavioral Indicators:**
- Unauthorized outbound traffic to `smtp.gmail[.]com` on port 587.
- SOCKS5 listener ports within the range `10000-14999`.
## Response Actions
- **Containment:** Identify and terminate all Chisel and Sliver processes.
- **Eradication:** Remove malicious cron jobs and systemd services; delete artifacts in `/var/tmp/`.
- **Recovery:** Rotate all cloud provider credentials and API keys immediately.
## Lessons Learned
- **Exposed Infrastructure:** The actor’s operational security failure (open C2 directories) allowed for complete visibility into their pipeline.
- **Resource Monitoring:** Organizations were likely not monitoring for unexpected outbound SMTP traffic or the creation of SOCKS5 tunnels on production servers.
## Recommendations
- **Egress Filtering:** Restrict outbound traffic to only necessary ports/destinations (e.g., block port 587 if the server is not an intentional mail server).
- **Cloud Hardening:** Implement Multi-Factor Authentication (MFA) across all cloud management consoles to prevent credential theft exploitation.
- **File Integrity Monitoring:** Monitor `/var/tmp` and other writable directories for the creation of hidden files and unauthorized services.