hunt.io via Reddit

PCPJack Builds 230-Server Cloud SMTP Relay Network

cybersecurity security cloud-attacks

Key insights

  • PCPJack left a 12-file toolkit and 767-file working directory exposed on open directories, enabling full operational reconstruction.
  • Three Python deployer versions document deliberate scaling from 50-beacon batches to a single 230-server deployment wave in March 2026.
  • A verifier daemon tested each SMTP tunnel every 60 seconds via EHLO/STARTTLS handshakes against gmail.com:587, maintaining a continuously refreshed proxy pool.

Why this matters

Cloud abuse for SMTP relay bypasses IP reputation controls by routing spam through legitimate cloud provider address ranges, making blocklisting damage shared across innocent tenants on the same subnets. The three-generation Python deployer evolution signals an actor with active development cycles, meaning future campaigns could deploy to victim machines faster than defenders can identify them. Both Sliver and Chisel are commodity open-source tools with broad legitimate use, so defenders need behavioral indicators like the xsync systemd service and /var/tmp/.xs binary placement rather than tool signatures.

Summary

Hunt.io found PCPJack's exposed toolkit (12 files, open directories) showing how 230 AWS, GCP, and Azure servers were converted to SMTP relays in March 2026. A Contabo C2 delivered Sliver implants and Chisel SOCKS5 tunnels. A verifier daemon ran EHLO/STARTTLS against gmail.com:587 every 60 seconds, syncing verified proxies to a downstream server every five minutes. Essentially: (PCPJack) caught by its own exposed directories, not active detection. - systemd "xsync" service for root persistence; five-minute cron watchdog for non-root - Three Python deployer versions scaled from 50-beacon batches to a single 230-server sweep - Related nodes found in Tencent Cloud, Korean Education Network, and Oracle Attribution carries moderate confidence given commodity Sliver and Chisel tooling and Contabo's widely abused hosting.

Potential risks and opportunities

Risks

  • Cloud tenants sharing subnets with the 230 compromised AWS, GCP, and Azure servers risk collateral IP blocklisting from spam reputation damage that can persist weeks after remediation.
  • A Netherlands node (45.225.135[.]54) linked to PCPJack infrastructure hosted pwnkit privilege escalation tools, suggesting the operation could escalate beyond SMTP relay to deeper system compromise on victim machines.
  • With the C2 at 213.136.80[.]73 and a 767-file working directory left exposed, other threat actors could pivot off PCPJack's already-compromised infrastructure using the leaked Sliver configurations.

Opportunities

  • Cloud security posture management vendors (Wiz, Orca Security, Lacework) can build detection rules for the xsync systemd service and /var/tmp/.xs binary placement patterns now fully documented from PCPJack's exposed toolkit.
  • Threat intelligence platforms with JARM fingerprinting capabilities (Hunt.io, Shodan, Censys) gain a validated playbook for detecting covert C2 infrastructure before full deployment.
  • Email anti-spam providers (Proofpoint, Spamhaus) can derive detection signatures from the documented EHLO/STARTTLS gmail.com:587 handshake pattern used in chisel_verifier.py.

What we don't know yet

  • How PCPJack initially accessed the 230 victim machines is undisclosed; the article covers post-compromise deployment but not the original infection vector.
  • Whether the downstream Excalibur server's spam customers have been identified or notified by law enforcement as of June 2026.
  • Whether AWS, GCP, and Azure have terminated the affected accounts documented in the March 10, 2026 deployment state files.

Originally reported by hunt.io

Read the original article →

Original headline: PCPJack Threat Actor Hijacks 230 AWS, GCP, and Azure Servers via Sliver C2 and Chisel SOCKS5 — Converts Cloud Infrastructure Into Gmail-Tested Spam Relay Network