The bottom line: PCPJack operates an automated network of 230 compromised cloud servers as SMTP proxies with continuous validation and geographic enrichment.
The hacker group PCPJack has compromised 230 virtual servers at Amazon Web Services, Google Cloud, and Microsoft Azure to build a network for SMTP email forwarding. Hunt.io documented the infrastructure by analyzing exposed directories on the command-and-control server.
PCPJack has systematically converted cloud instances in the USA, Europe, and Asia into SMTP proxies. Hunt.io identified the infrastructure after the attackers left two unprotected directories on their C2 server (IP 213.136.80.73). These contained source code, executable binaries, deployment logs, scanner tools, exploit utilities, and a misappropriated instance of the security tool Sliver.
The toolkit completely automates SMTP proxy deployment. Chisel binaries for AMD64, ARM64, and x86 are placed as hidden files under /var/tmp/.xs on victim systems and made persistent. The deployment scripts filter out Linux beacons that have checked in with the C2 within the last ten minutes, and deterministically assign each system a SOCKS5 proxy port between 10000 and 14999—based on an MD5 hash of the unique Sliver ID. A Python script named chisel_verifier.py runs continuously on a 60-second interval, validating tunnel ports via the system command ss, checking SMTP functionality, and removing failed connections from the active pool.
The attackers tested the compromised servers for outbound connectivity to Google Mail servers over port 587—systems lacking this capability were filtered out of the pipeline. Newer versions removed this check. Verified proxies are automatically enriched with location data retrieved from external IP lookup APIs (ipify.org, ip-api.com), capturing the outbound IP address, country of origin, and AS number. These lists are encrypted and transferred every five minutes via Secure Copy Protocol to a follow-up server (IP 38.242.204.245).
PCPJack was first identified in April 2026 by SentinelOne when the group deployed a credential theft framework for cloud services and deliberately terminated processes belonging to rival hacker group TeamPCP. Hunt.io observed the current SMTP proxy infrastructure still operational at the time of its discovery.
Source: www.it-daily.net · Published June 12, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.6.5.