Cloud Servers Hijacked for Covert Email Relay Network

Cloud Servers Hijacked for Covert Email Relay Network

Posted on By CWS

Cloud Servers Hijacked for Covert Email Relay Network

The notorious threat actor known as PCPJack has commandeered 230 cloud servers across major platforms, including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, to establish a secretive SMTP email relay network. This alarming development has raised significant concerns within the cybersecurity community, highlighting vulnerabilities in cloud infrastructure.

Details of the SMTP Relay Setup

According to a statement from Hunt.io, the compromised servers, located throughout the U.S., Europe, and Asia, were covertly transformed into SMTP proxies. These proxies were then verified for their email relay capabilities and synchronized to a downstream consumer every five minutes. This infrastructure was operational at the time of discovery.

Investigations revealed source code, compiled binaries, and other critical artifacts left unsecured on a command-and-control (C2) server. This server lacked any authentication, providing valuable insights into the methods employed by PCPJack.

PCPJack’s Methodology and Tools

PCPJack first came to light in April 2026, identified by SentinelOne as a credential theft framework aimed at cloud services. The group’s tactics include terminating and removing traces of processes linked to TeamPCP, a known hacking entity involved in software supply chain attacks.

Among the discoveries were Sliver-integrated SMTP proxy deployment toolkits and Chisel tunneling binaries suited for various Linux CPU architectures. These binaries were hidden and persisted on compromised systems, while deployer scripts managed the configuration of the Sliver C2 client.

Operational Tactics and Implications

The operation’s scripts were designed to test SMTP capabilities, with those failing the criteria being disregarded. Successive script iterations removed such checks, emphasizing the operation’s focus on effective email relay.

The C2 server employed a Python script, “chisel_verifier.py,” to monitor active Chisel tunnel ports, testing each for SMTP functionality. Failed or inactive tunnels were pruned, ensuring the system’s efficiency. Verified proxies were documented with enriched IP data and regularly synced to a separate server.

Hunt.io describes the campaign as opportunistic, noting the 230 compromised nodes as observable outcomes. The ultimate purpose of this network, whether for spam, phishing, or other malicious activities, remains undetermined. However, the infrastructure’s scale suggests significant intent and capability.

The cybersecurity community continues to monitor the situation closely, aiming to mitigate any further threats posed by this sophisticated operation.

The Hacker News Tags:, , , , , , , , ,

Related Posts

Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts Chinese TA415 Uses VS Code Remote Tunnels to Spy on U.S. Economic Policy Experts The Hacker News
NASA Targeted in Chinese Phishing Attack on Defense Software NASA Targeted in Chinese Phishing Attack on Defense Software The Hacker News
German Agencies Issue Alert on Signal Phishing Threat German Agencies Issue Alert on Signal Phishing Threat The Hacker News
Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF Bugs Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF Bugs The Hacker News
How to Assess and Choose the Right AI-SOC Platform How to Assess and Choose the Right AI-SOC Platform The Hacker News
Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network The Hacker News