A threat actor known as PCPJack quietly converted 230 compromised cloud servers — spanning AWS, Google Cloud, and Microsoft Azure — into a covert SMTP relay network designed to send email at scale while staying hidden in plain sight. The operation was discovered by threat intelligence firm Hunt.io after the attackers left two open directories on their command-and-control server without any authentication.
An Unusually Sloppy Mistake
The open directories, found on a C2 server at 213.136.80[.]73, contained the entire toolkit: source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration. It’s the kind of operational security failure that makes you wonder how long this could have gone on otherwise. Sliver is a well-known post-exploitation framework often used by both red teams and real-world attackers, and finding an active config in the open is a goldmine for defenders.
Hunt.io’s analysis revealed that compromised business servers across the U.S., Europe, and Asia were converted into SMTP proxies. Each server was verified for mail relay capability, then synced to a downstream consumer every five minutes. The infrastructure was still running when researchers found it.
Who Is PCPJack?
PCPJack first came to attention in April 2026 when SentinelOne identified a credential theft framework specifically targeting cloud services. What stood out was the actor’s habit of terminating and removing processes associated with TeamPCP, another hacking group that’s been active in the cloud exploitation space. Whether this is competitive displacement, infiltration, or something else entirely isn’t clear — but it suggests PCPJack is aware of other threat actors in the same space and actively works to undermine them.
The group’s focus on cloud infrastructure credential theft as an initial access vector is notable. Rather than exploiting application vulnerabilities, they’re going after the keys to the cloud itself — API keys, service account tokens, and management console credentials that give them the same access the legitimate owners have.
Why SMTP Relays?
Covert SMTP relay networks are the backbone of large-scale phishing and spam operations. By distributing the sending across hundreds of legitimate business servers — each with its own reputation and IP history — attackers can bypass email filtering and reputation-based blocking. A message coming from a known business IP in AWS is far more likely to land in an inbox than one from a known spam house.
This is also a monetization play. SMTP relay services are sold on underground markets, and running your own infrastructure means PCPJack can either use it directly or rent it out to other threat actors.
What Cloud Teams Should Do
If you’re running workloads on AWS, GCP, or Azure, check for unauthorized SMTP services on your instances. Look for unexpected outbound traffic on ports 25, 465, and 587. Audit your IAM credentials and API keys for signs of compromise, and make sure your cloud logging is actually enabled and being monitored — a lot of organizations turn on logging but never look at the alerts. Hunt.io published indicators of compromise that are worth checking against your environment.
What’s Next
The exposure of PCPJack’s infrastructure will likely cause the group to regroup and rebuild, but the underlying technique — hijacking cloud servers for email relay — isn’t going anywhere. As more organizations move to the cloud without proportional investment in cloud security posture management, the attack surface keeps growing. Watch for follow-on campaigns that use the same playbook with better operational security.
