Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

PCPJack covert SMTP relay campaign

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The PCPJack campaign converted hijacked AWS, Google Cloud, and Microsoft Azure servers into a covert SMTP relay network, enabling large-scale email delivery through verified proxies. The infrastructure was still active when discovered and had expanded to a reported 230-node outcome across the U.S., Europe, and Asia. The operation raises abuse risk for spam, phishing, and other mail-based activity at scale.

Related Happenings

PCPJack Linux cloud credential-theft and persistence framework

Malware Activity
First: 07.05.2026 21:35 Last: 07.05.2026 21:35 Sources 1

How related: The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network.

About this happening: **PCPJack** is a **Linux cloud malware framework** that steals credentials from **exposed cloud systems** and now has been tied to a **covert SMTP relay network** running on **AWS...

Latest development: 05.06.2026 08:34

Hunt.io reported that PCPJack hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure and quietly converted compromised business servers across the U.S., Europe, and Asia into SMTP proxies for a covert email relay pipeline. The recovered infrastructure included open directories on C2 213.136.80[.]73 containing source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration, plus Sliver-integrated SMTP proxy deployment tooling, Chisel binaries, and a persistent chisel_verifier.py process that checked relay capability and removed failed tunnels. Verified proxies were enriched with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, then synced every five minutes to 38.242.204[.]245, with the observed outcome reaching 230 nodes.

Open Happening

Multi-stage AitM phishing and BEC campaign against energy-sector organizations

Campaign
First: 23.01.2026 10:25 Last: 23.01.2026 10:25 Sources 1

About this happening: A **multi-stage AitM phishing** and **BEC** operation is targeting **multiple energy-sector organizations**, creating immediate risk of credential theft and unauthorized mailbox a...

Open Happening

TruffleNet AWS SES credential-abuse campaign

Campaign
First: 03.11.2025 12:59 Last: 03.11.2025 12:59 Sources 1

About this happening: The **TruffleNet** campaign is abusing **stolen AWS credentials** and **AWS SES** to validate access, recon cloud environments, and fuel downstream **BEC** fraud. The operation sp...

Open Happening

Timeline

  1. 05.06.2026 08:34 2 articles · 17h ago

    PCPJack hijacks AWS, Google Cloud, and Azure servers for covert SMTP relay

    Campaign Scope Update

    PCPJack is tied to a covert SMTP relay campaign that hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure, converting compromised business servers across the U.S., Europe, and Asia into SMTP proxies that were verified for mail relay capability and synced to a downstream consumer every five minutes. Open directories on C2 server 213.136.80[.]73 exposed source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, a live Sliver configuration, Sliver-integrated SMTP proxy deployment tooling, Chisel tunneling and proxy binaries, and scripts that load the Sliver C2 client configuration, batch Linux beacons, and validate Chisel tunnels for SMTP capability. The recovered infrastructure also used deterministic SOCKS5 proxy port assignment from Sliver UUIDs, SMTP quality checks against smtp.gmail[.]com:587, and proxy enrichment with exit IP address, country, and ASN via api.ipify[.]org and ip-api[.]com, with the observable result described as a 230-node network.

    Show sources
    Open in new tab