Threat actor PCPJack has reportedly hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to establish a covert SMTP email relay network, according to newly released findings by cybersecurity firm Hunt.io. The operation involved compromised business servers spread across the United States, Europe, and Asia that were quietly transformed into SMTP proxies and continuously synchronized to a downstream consumer every five minutes. Researchers noted that the infrastructure remained active at the time of discovery, raising concerns over the scale and intent of the operation.
Hunt.io said investigators uncovered critical operational assets after the threat actor reportedly left two open directories on a command and control server, identified as 213.136.80[.]73, without authentication. The exposed directories allegedly contained source code, compiled binaries, deployment state logs, exploitation tooling, internet scanners, and a live Sliver configuration. Security researchers also found a Sliver integrated SMTP proxy deployment toolkit alongside Chisel tunneling utilities and proxy binaries compatible with multiple Linux CPU architectures including AMD64, ARM64, and x86. On compromised systems, the malicious binary was reportedly dropped as a hidden dot prefixed file and persisted through the path “/var/tmp/.xs”.
PCPJack first surfaced publicly in April 2026 when cybersecurity company SentinelOne identified a credential theft framework linked to the group that specifically targeted cloud services. SentinelOne also noted that the threat actor appeared to remove traces linked to TeamPCP, a hacking group that has recently gained attention for software supply chain attacks. According to Hunt.io, deployer scripts discovered in the exposed directories were designed to load Sliver command and control client configurations while filtering Linux beacons that had checked in within the previous ten minutes. These beacons function as implants that regularly connect back to command systems to receive instructions and transmit updates.
Researchers explained that each beacon reportedly receives a SOCKS5 proxy port generated through an MD5 hash of its Sliver UUID and mapped within the 10000 to 14999 range. This mechanism ensures that the same beacon is assigned a consistent port during repeated executions without requiring a centralized port registry. Hunt.io further observed that the deployment script included an SMTP quality gate that tested outbound access to smtp.gmail[.]com through port 587. Systems failing this connectivity check were skipped, indicating that email relay functionality played a central role in the operation. Hosts were reportedly processed in groups of 50, followed by timed delays to account for slower beacon communication intervals.
Subsequent versions of the deployment scripts were found to have removed SMTP validation checks and batching logic, suggesting adjustments in operational strategy. Researchers also uncovered a diagnostic script that selected active beacons and issued shell commands to verify the presence of Chisel binaries, active Chisel processes, available disk space, connectivity to port 9000 on the command server, and persistence methods including cron entries or systemd services. Hunt.io additionally reported that the command server operated a background Python daemon named “chisel_verifier.py,” which monitored Chisel tunnel ports every 60 seconds, tested SMTP functionality, and removed failed or inactive tunnels from circulation. Verified proxies were enriched with metadata including exit IP addresses, country details, and autonomous system numbers through services such as api.ipify[.]org and ip-api[.]com before being synchronized every five minutes through Secure Copy Protocol to another downstream server identified as 38.242.204[.]245, which is currently inaccessible. While the exact purpose of the operation remains uncertain, Hunt.io stated that the infrastructure was actively functioning and appeared capable of supporting large scale email delivery for purposes that may include spam, phishing, or other coordinated activity.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
