PCPJack Campaign Compromises Over 230 Cloud Servers to Build a Covert Infrastructure for Large-Scale Email Operations

Severity: High

Executive Summary

Threat Actors Abuse Major Cloud Platforms to Build Hidden SMTP Infrastructure

Security researchers have uncovered a large-scale cloud compromise campaign linked to the threat actor known as PCPJack.

The operation hijacked more than 230 cloud servers hosted on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. Instead of deploying ransomware or stealing data directly, the attackers transformed compromised systems into a covert SMTP relay network.

Researchers discovered that the infrastructure continuously verified email relay capabilities, synchronized active proxies every five minutes, and supplied the results to downstream systems.

Although investigators have not confirmed the final objective, the infrastructure could support spam campaigns, phishing operations, malware delivery, or other large-scale email-based attacks.

Attack Overview

Hundreds of Cloud Systems Secretly Recruited

Researchers discovered the campaign after finding exposed directories on a command-and-control (C2) server.

The exposed infrastructure contained:

• Deployment scripts
• Source code
• Compiled malware binaries
• Exploitation tools
• Operational logs
• Sliver C2 configurations
• SMTP verification utilities

As a result, investigators gained rare visibility into an active cloud-based operation while it was still running.

How the Operation Works

Compromised Servers Become SMTP Relay Proxies

After compromising cloud-hosted Linux systems, the attackers deployed hidden proxy components and persistence mechanisms.

The malware then:

• Established encrypted communication channels
• Created SOCKS5 proxy services
• Tested outbound SMTP connectivity
• Registered successful email relays
• Added working systems into a centralized proxy pool

Only servers capable of sending outbound email traffic remained active within the operation.

Consequently, attackers focused exclusively on systems that could support large-scale email delivery activities.

Technical Findings

Automated Infrastructure Management

Researchers identified sophisticated automation throughout the campaign.

Each infected system received a unique proxy port generated from a mathematical mapping process. Because every system always received the same assigned port, attackers could manage infrastructure efficiently without maintaining separate tracking databases.

Furthermore, the infrastructure continuously monitored:

• SMTP relay availability
• Active tunnels
• Network connectivity
• Persistence mechanisms
• System health
• Available disk space

The operation also validated whether compromised systems could successfully communicate with external mail services before accepting them into the relay network.

Advanced Capabilities

Self-Monitoring Proxy Network

One of the most notable discoveries involved a dedicated verification service running on the attackers' infrastructure.

The service automatically:

• Checked active proxy tunnels every minute
• Removed failed nodes
• Verified email relay functionality
• Identified geographical locations
• Collected ASN information
• Updated active proxy inventories

After verification, the infrastructure synchronized proxy lists every five minutes to an external downstream server.

Because the synchronization occurred continuously, attackers could maintain a near real-time inventory of working email relay systems.

Potential Risks

Why This Infrastructure Matters

Although researchers have not confirmed the final payload or campaign objective, SMTP relay networks commonly support:

• Phishing campaigns
• Business email compromise (BEC)
• Malware distribution
• Credential harvesting
• Spam operations
• Social engineering attacks

Moreover, the use of legitimate cloud providers makes detection more difficult because traffic often appears trustworthy.

As a result, organizations may struggle to identify malicious activity originating from reputable cloud environments.

Threat Actor Background

PCPJack Continues Expanding Cloud Operations

Researchers previously linked PCPJack to credential theft operations targeting cloud environments.

This latest campaign demonstrates a broader operational focus on:

• Cloud infrastructure abuse
• Credential harvesting
• Proxy network creation
• Email-based attack delivery
• Persistent access operations

In addition, investigators found evidence suggesting similarities with infrastructure used by other supply chain-focused threat groups.

Recommended Actions

CyberShelter Recommended Mitigation Steps

01 — Audit Cloud Environments

Review AWS, Azure, and Google Cloud workloads for unauthorized services, hidden binaries, or unusual network activity.

02 — Monitor SMTP Traffic

Investigate unexpected outbound SMTP connections, especially from servers that do not normally send email.

03 — Review Linux Persistence Mechanisms

Inspect cron jobs, systemd services, startup scripts, and temporary directories for unauthorized modifications.

04 — Strengthen Cloud Access Controls

Implement least-privilege access policies, enforce MFA, and regularly rotate cloud credentials.

05 — Deploy Continuous Monitoring

Use cloud security monitoring and threat detection solutions to identify unusual outbound communications and proxy activity.

Strategic Perspective

Cloud Infrastructure Remains a Prime Target

Threat actors increasingly target cloud-hosted systems because they provide global reach, reliable connectivity, and trusted network reputations.

At the same time, compromised cloud servers can support large-scale operations without attracting immediate attention.

This campaign highlights how attackers continue shifting away from traditional malware deployments and toward stealthier infrastructure-based operations.

Organizations should therefore treat cloud security as a core business risk and continuously monitor environments for unauthorized workloads, suspicious network activity, and hidden persistence mechanisms.