Threat Actor PCPJack Leverages 230‑Node Cloud Email Relay Network Across AWS, GCP, and Azure
What Happened — Researchers at Hunt.io discovered that the cyber‑crime group PCPJack compromised 230 cloud servers spanning Amazon Web Services, Google Cloud, and Microsoft Azure, turning them into a covert email‑relay botnet. The actors unintentionally left a publicly accessible HTTP directory containing the full deployment toolkit, logs, and Sliver C2 configuration, exposing the entire operation.
Why It Matters for TPRM —
- Cloud‑hosted third‑party services can be silently subverted to launch spam, phishing, or credential‑theft campaigns against your organization.
- Unauthenticated exposure of attacker tooling indicates weak configuration hygiene that could be replicated on your own cloud assets.
- Shared infrastructure with other threat groups (e.g., TeamPCP) raises the risk of collateral compromise of downstream supply‑chain partners.
Who Is Affected — Cloud service providers (AWS, Google Cloud, Microsoft Azure) and any enterprises that lease or consume compute resources from these platforms.
Recommended Actions —
- Conduct a comprehensive inventory of all third‑party cloud instances and verify that only authorized accounts have access.
- Enforce MFA and least‑privilege IAM policies for all cloud‑admin roles.
- Deploy outbound SMTP egress filtering and monitor for anomalous SMTP proxy activity.
- Scan for unknown binaries in hidden locations (e.g.,
/var/tmp/.xs) and for unauthorized Sliver or Chisel processes.
Technical Notes — The attackers used the open‑source Sliver C2 framework together with Chisel tunneling binaries compiled for AMD64, ARM64, and x86 Linux. Each compromised host runs a hidden dot‑prefixed binary that persists via a cron job or systemd service, and is assigned a deterministic SOCKS5 proxy port (10 000‑14 999) for SMTP relay. A quality‑check step verifies outbound connectivity to smtp.gmail.com:587 before a host is added to the relay pool. Source: SecurityAffairs