In Brief: PCPJack operates an automated infrastructure to abuse compromised cloud servers as SMTP proxies for disguising spam and phishing emails.
Attacker PCPJack has compromised 230 virtual servers at AWS, Google Cloud, and Azure and converted them into a covert SMTP relay network. The security firm Hunt.io discovered the operation through open directories on the attacker’s command and control server.
Hunt.io documented a large-scale compromise of cloud infrastructure by PCPJack. The attacker has taken over a total of 230 instances at Amazon Web Services, Google Cloud, and Microsoft Azure. The goal is to establish a network for email forwarding via SMTP. The security researchers discovered the operation through two unprotected directories on the control server with the IP address 213.136.80.73. These contained source code, executable binaries, deployment logs, internet scanners, exploit tools, and a repurposed configuration of Sliver, a legitimate penetration testing framework.
PCPJack was first identified in April 2026 by SentinelOne, at that time noted for a framework to steal cloud credentials. Hunt.io observed that the hijacked servers across the United States, Europe, and Asia were silently transformed into SMTP proxies. Each infected system is equipped with a hidden file in the path /var/tmp/.xs containing a Chisel tunnel binary. This is provided for Linux architectures such as AMD64, ARM64, and x86. SOCKS5 proxy ports are assigned deterministically in the range 10,000–14,999 based on an MD5 hash of the Sliver identification number, eliminating the need for centralized port management.
To validate the infrastructure, a Python script named chisel_verifier.py continuously loads active tunnel ports every 60 seconds via the system command tool ss. Each new port is tested for SMTP capability to the Google Mail server (port 587). Systems that fail this test are removed from the pool. Hunt.io notes: “Hosts that cannot relay emails have no value for this pipeline.” In older versions of the deployment script, this check was still active; in newer versions it has been removed. Verified proxies are enriched with location data obtained by querying api.ipify.org and ip-api.com (IP address, country of origin, autonomous system number).
The cleaned proxy lists are transmitted every five minutes via the encrypted Secure Copy Protocol to a separate downstream server with the IP address 38.242.204.245. This points to a division of labor between infrastructure setup and usage, with proxies being made available to downstream services. For CISOs, this poses a significant risk: compromised cloud accounts are not only abused for storage or computing power, but can be silently converted into global SMTP relays that are difficult to detect because operators have no direct access to the email contents.
Source: www.it-daily.net · Published June 12, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.