Introduction
In March 2026, 230 corporate servers hosted on AWS, Google Cloud, and Microsoft Azure were quietly turned into covert email relays. Behind the campaign: a threat actor known as PCPJack, whose toolset reveals a sophisticated understanding of enterprise cloud infrastructure.
A methodically assembled SMTP network — one server at a time
This was no chaotic mass attack. After gaining an initial foothold on exposed cloud instances — by targeting misconfigured services such as Docker, Kubernetes, Redis, or MongoDB, or by exploiting known vulnerabilities in Next.js, WordPress plugins, and CentOS Web Panel — the attackers deployed a precise toolchain.
Two components formed the backbone. Sliver, an open-source command-and-control framework, served as the remote access channel. Chisel, a legitimate TCP tunneling utility, was repurposed to establish reverse SOCKS5 tunnels. Each compromised server became a transparent proxy, capable of relaying email traffic without triggering any alerts on the victim's side.
The entire operation ran on a quality-control logic: a daemon tested every tunnel every 60 seconds via a simulated SMTP connection. Only functional proxies were retained, and the updated list was synchronized every five minutes to a dedicated downstream server.
Persistence as a stealth strategy
What sets PCPJack apart is its ability to survive long-term inside compromised environments. On high-privilege systems, systemd services were installed; on lower-privilege accounts, cron jobs took over — all engineered to withstand reboots and superficial cleanup attempts.
The deployed tools also performed credential harvesting: SSH keys, database tokens, and access credentials for cloud and financial services were exfiltrated to an encrypted command infrastructure. This threat actor doesn't just rent your infrastructure — it steals the keys too.
What this means for enterprise cloud risk
The key message for CIOs and CISOs is straightforward: the servers involved belonged to real organizations across Europe, the United States, and Asia. Their cloud instances — paid for by them, tied to their IP reputation — were leveraged for criminal purposes without their knowledge.
The operational fallout is threefold: IP reputation blacklisted by spam filters, cloud costs inflated by parasitic traffic, and potential legal exposure if the hijacked servers were used in phishing campaigns targeting third parties.
Actions that can no longer be deferred
The attack surface exploited here is no mystery: cloud services left misconfigured and exposed without rigorous controls. Best practices are well established — but implementation remains too often incomplete:
- Audit your exposed services: an unauthenticated Docker API or Redis instance reachable from the public internet is an open door.
- Monitor for unexpected processes: an unlisted tunneling binary or an unknown systemd service should trigger an immediate alert.
- Control outbound traffic: an application server initiating SMTP connections to external hosts is an anomaly worth investigating.
- Review your cloud billing: unexplained bandwidth spikes are frequently the first visible indicator of a compromise.
PCPJack illustrates a reality that B2B IT teams must internalize: your cloud servers hold market value for cybercriminals far beyond the data they store. Relaying traffic, tunneling anonymous connections, masking the origin of an attack — that is exactly what the underground market values in your infrastructure. Prevention remains cheaper than remediation.