PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network
The scary actor known as PCPCJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a private SMTP email network.
“Vulnerable corporate servers across the US, Europe, and Asia are silently turned into SMTP proxies, authenticated for email forwarding capabilities, and synced to a consumer that drops every five minutes,” Hunt.io said in a statement. “The infrastructure was still in progress when we found it.”
The threat intelligence firm said it found source code, compiled binaries, deployment state logs, Internet scanners, an exploit tool, and a live Sliver configuration after a post-operational threat actor left two open directories on the command and control server (C2) (“213.136.80)[.]73”) without confirmation.
PCPJack was first discovered by SentinelOne in April 2026 after identifying a theft framework that directly authenticates cloud services, while taking steps to eliminate and remove processes or artifacts related to TeamPCP, another notorious hacking group that has attracted attention in recent months for its software attacks.
It is housed in one of the open source SMTP proxy deployment toolkit bundled with Sliver, as well as Chisel binaries for pulling and proxies for many Linux CPU architectures, such as AMD64, ARM64, and x86. On the victim’s side, the two are downloaded as a file prefixed with a hidden dot and going to “/var/tmp/.xs.”
Also available in the directory are deployer scripts designed to load the Sliver C2 client configuration and filter for Linux beacons logged within the last ten minutes. The implants’ beacons always call home to the C2 server periodically to check and return commands.
“Each beacon receives a SOCKS5 proxy port determined by an MD5 hash of its Sliver UUID, mapped to the range 10000-14999,” notes Hunt.io. “The same beacon always points to the same port in every run, eliminating the need for shared port registration.”
The script is also able to use a quality SMTP gateway that investigates outgoing access to smtp.gmail.[.]com: 587. Hosts that fail this test are skipped with an exit code of zero.
“This gateway defines a functional goal: hosts that cannot send email have no value on this route,” the cybersecurity company added. “Beacons are processed in batches of 50, with a wait of 25 minutes after loading and 15 minutes after release instructions, to accommodate temporary beacon testing.”
The following iterations of the deployment scripts were found to remove the SMTP gateway and integration logic. There is also a diagnostic script that selects the five active beacons and executes for each a shell command that checks the following –
- The presence of Chisel binaries in known collapse methods
- The Chisel process works
- Disk space
- Access to port 9000 on C2, as well
- Presence of persistent artifacts, such as cron entry or systemd service
In addition, the C2 server runs a Python script called “chisel_verifier.py” as a persistent background daemon, which enumerates active Chisel tunnel ports with ss -tlnp every 60 seconds, checks each new port for SMTP capability, and removes failed or down tunnels from the active pool.
Authenticated proxies are enriched with outgoing IP address, country, and ASN by services such as api.ipify[.]org and ip-api[.]com. The proxy list is then synchronized every five minutes via Secure Copy Protocol (SCP) to a separate streaming server at 38.242.204.[.]245. The server is currently unavailable. The final goal of the operation is not yet clear.
“The result of 230 nodes is a visible result. Whether this progression reflects the repetition of a single user or multiple players sharing the same infrastructure cannot be determined from the files found,” said Hunt.io, describing it as an opportunistic campaign.
“The verified proxy list is synced every five minutes to that server, and someone is using it. Whether it’s spam, phishing, or something else, the delivery infrastructure was clearly working.”
