PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for SMTP Relay Abuse, Report Says
Published
Key Takeaways
- Cloud Infrastructure Hijacked: PCPJack reportedly compromised 230 servers across AWS, Google Cloud, and Azure to build a covert SMTP relay network.
- Proxy Sync Interval: The network synced verified proxies every five minutes to enable scalable, persistent email abuse.
- Sliver Integration: The attackers leveraged a complete Sliver-integrated SMTP proxy deployment toolkit.
A threat actor tracked as PCPJack has allegedly hijacked 230 servers hosted across AWS, Google Cloud, and Azure to construct a covert SMTP relay network, according to cybersecurity researchers. The campaign demonstrates a deliberate abuse of trusted cloud infrastructure to route malicious email traffic through legitimate-looking sources.
How PCPJack Built Its SMTP Relay Network
PCPJack's operation hijacked cloud-hosted servers across major providers AWS, Google Cloud, and Azure and assembled a 230-node SMTP relay network capable of sending email at scale while blending in with legitimate cloud traffic.
A key operational feature of the network is its proxy synchronization mechanism, according to Hunt.io. PCPJack synced verified proxies every 5 minutes, keeping the relay pool up to date and ensuring continuous, scalable abuse.
The attackers leveraged a complete Sliver-integrated SMTP proxy deployment toolkit, internet-scale scanners, Spring Boot exploitation tooling, a JVM heap-dump credential parser, an Apache Parquet credential database, and a live Sliver command-and-control (C2) server with its configuration exposed.
The first deployer loads the Sliver C2 client, connects to the local Sliver API, and filters for Linux beacons, with each beacon receiving a SOCKS5 proxy port. “The SMTP test connects through the SOCKS5 proxy to smtp.gmail.com:587, reads the 220 banner, sends an EHLO greeting, and attempts STARTTLS – a full protocol handshake, not just a port check,” the report said.
Why Cloud-Hosted Relays Are a Growing Threat
Abusing cloud infrastructure from providers such as AWS, Google Cloud, and Azure makes threat actors’ campaigns less likely to be flagged by reputation-based blocklists than residential or bulletproof hosting.
By routing SMTP traffic through compromised cloud servers, PCPJack effectively leveraged the reputational standing of these platforms to conduct abuse at scale.
SentinelLABS identified PCPJack in early May as a framework that worms across cloud infrastructure to systematically harvest credentials from cloud, container, developer, productivity, financial, and messaging services. It was initially programmed to remove TeamPCP artifacts as the cloud credential worm targeted TeamPCP victims.
Last week, a Microsoft Azure server misconfiguration exposed 300,000 government-issued IDs in a Pay Tel data leak.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular