Fast Facts
- Threat actor PCPJack hijacked cloud servers across AWS, Google Cloud, and Azure to operate a covert SMTP relay network for potentially large-scale spam, phishing, or malware distribution.
- They deployed Linux-based proxies and implants (Sliver, Chisel) with automated scripts to maintain persistence, filter for SMTP relay functionality, and exfiltrate proxy data, indicating sophisticated, scalable infrastructure.
- The operation’s infrastructure—comprising compromised servers, relay scripts, and persistent C2 mechanisms—suggests an opportunistic campaign capable of enabling extensive malicious activities at scale.
Threat, Attack Techniques, and Targets
The threat actor known as PCPJack hijacked cloud servers on AWS, Google Cloud, and Microsoft Azure. They turned these servers into a covert SMTP relay network. These servers are located in the U.S., Europe, and Asia. The hijacking involved converting business servers into SMTP proxies that could relay emails. The attacker used open directories on a command-and-control (C2) server without any security measures to store source code, binaries, logs, exploitation tools, and a live Sliver configuration. This group first appeared in April 2026, targeting cloud services through credential theft. They aimed to control the servers and facilitate email relaying for illegal activities.
PCPJack employed specific attack techniques. They used deployment scripts that load the Sliver C2 client configuration and load beacons to check in regularly. These beacons are implants that communicate with the C2 server at set intervals. The attack also involved staged tunneling and proxy binaries for different Linux architectures like AMD64, ARM64, and x86. The malware binary is hidden and stored in a system folder, making it harder to find. The attacker also used scripts to test SMTP access and filter hosts that couldn’t relay emails, which is crucial for their operation.
The targets of this campaign are mainly cloud servers that are still running and capable of relaying emails. The goal appears to be creating a large covert email relay network for malicious use. This could include spam, phishing, or other harmful activities.
Impact, Security Implications, and Remediation Guidance
This campaign creates several security concerns. First, the hijacked servers can send large amounts of spam or phishing emails. They can also be used for other malicious operations that rely on email relays. The infiltration shows that cloud environments can be targeted and turned into tools for cybercrime. If attackers gain control of cloud resources, it can cause serious damage to organizations and their reputation.
The presence of open directories and the lack of authentication on the C2 server make it easier for attackers to control and expand their network. Additional concerns include the potential for data theft and misuse of cloud infrastructure. Because the operation is ongoing, organizations need to take immediate actions to check for signs of compromise.
For remediation, it is advised that affected parties seek guidance from their cloud providers or cybersecurity authorities. Cloud services should review server security, close unnecessary open directories, and enhance authentication. Monitoring for unusual activity, especially related to email relays and server configurations, is also critical. Since specific remediation steps are not provided, organizations should consult their cloud vendors or cybersecurity professionals for tailored advice.
Continue Your Tech Journey
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
