Cybersecurity researchers have uncovered a large-scale cloud-based operation linked to a threat actor known as PCPJack. According to new findings, the group compromised 230 cloud servers hosted on Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. The attackers quietly converted these servers into a hidden SMTP relay network that could be used to send large volumes of email traffic without drawing attention.
The investigation began after researchers discovered two exposed directories on a command-and-control server associated with PCPJack. These directories were left open without authentication and contained source code, deployment tools, compiled binaries, configuration files, and operational logs. The exposed infrastructure provided researchers with a rare opportunity to examine how the operation worked behind the scenes and how it expanded across cloud environments.
Researchers found that compromised servers located across North America, Europe, Asia, and other regions were being transformed into SMTP proxies. Before adding a server to the network, the attackers verified whether it could successfully relay email traffic. Once approved, the server became part of a larger proxy pool that was continuously updated and maintained by the attackers.
The operation relied heavily on open-source tools such as Chisel and Sliver. Chisel was used to create network tunnels, while Sliver acted as a command-and-control framework. The attackers deployed these tools across different Linux-based cloud systems, allowing them to manage compromised servers remotely and maintain access for long periods without attracting significant attention.
One of the most interesting findings was the presence of an automated verification system. A Python-based process continuously monitored active tunnels, tested their ability to handle SMTP traffic, and removed servers that stopped working. This allowed the attackers to maintain a reliable network of functioning email relays while minimizing disruptions to their operation.
Researchers also discovered that verified proxy lists were synchronized every five minutes to another server believed to be consuming the relay network. The exact purpose of this infrastructure remains unclear, but experts believe it could support spam campaigns, phishing operations, or other large-scale email-based activities. The downstream server was inaccessible during the investigation, limiting visibility into the final stage of the operation.
PCPJack first gained attention earlier in 2026 after security researchers linked it to a credential-theft framework targeting cloud infrastructure. The malware was designed to harvest credentials from cloud services, containers, developer platforms, financial services, and enterprise environments. Unlike many cloud-focused attacks, PCPJack does not focus on cryptocurrency mining and instead appears to prioritize credential theft and infrastructure abuse.
Researchers describe the SMTP relay network as an opportunistic campaign that evolved over time. Evidence recovered from deployment logs showed that the attackers gradually scaled their operation before eventually reaching 230 compromised cloud servers. While it is still unclear who is ultimately using the relay infrastructure, investigators confirmed that the network was active and operational when it was discovered, highlighting the ongoing risks facing organizations that operate cloud-based services.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
