PCPJack Exposed: Researchers Uncover 230-Node Cloud Email Relay Network

The PCPJack campaign illustrates a new breed of cloud‑native threat operations that treat public‑cloud instances as interchangeable building blocks. By compromising a diverse set of virtual machines across the three major providers, the actors created a distributed SMTP relay farm capable of sending massive volumes of email without relying on traditional botnet infrastructure. The accidental exposure of an unauthenticated HTTP folder gave researchers a rare, unfiltered view of the deployment scripts, source code, and configuration files, turning a security lapse into a forensic goldmine.

Technical analysis shows the group combined the Sliver command‑and‑control framework with Chisel tunneling binaries compiled for AMD64, ARM64, and x86 architectures. Each compromised host drops a hidden file in /var/tmp/.xs and persists via cron or systemd, then receives a deterministic SOCKS5 proxy port derived from its Sliver UUID. A quality‑gate script validates outbound access to smtp.gmail.com before admitting a server to the relay pool, ensuring only viable email‑sending nodes are retained. Continuous health‑check scripts verify tunnel integrity, disk space, and process status, while verified proxy metadata—including IP, country, and ASN—is synchronized every five minutes to an external server, suggesting real‑time consumption for spam or phishing campaigns.

For enterprises, the incident serves as a wake‑up call to tighten cloud security hygiene. Unauthenticated storage buckets, open directories, and lax IAM policies can transform a legitimate cloud instance into a weaponized relay point. Organizations should implement strict network egress controls, monitor for anomalous SMTP traffic, and employ threat‑intel feeds that flag known proxy patterns. Moreover, the use of open‑source C2 tools like Sliver underscores the need for behavioral detection capabilities that go beyond signature‑based defenses, enabling security teams to spot the subtle footprints of sophisticated, self‑healing cloud‑based threat actors.