Listen to this Post
Introduction: A Massive Cyber Operation Uncovered Through One Critical Error
Cybercriminal operations often collapse for the same reason legitimate organizations suffer breaches, human error. In one of the most revealing cybersecurity investigations of 2026, researchers uncovered a sophisticated cloud-based infrastructure operated by the threat actor known as PCPJack. The operation spanned hundreds of compromised cloud servers distributed across Amazon Web Services, Google Cloud Platform, and Microsoft Azure.
What makes this discovery remarkable is not just its scale, but the way it was exposed. The entire infrastructure, source code, malware binaries, deployment scripts, operational logs, and command-and-control configurations were unintentionally left accessible on a publicly exposed server without authentication.
That single oversight provided researchers with an unprecedented look inside an active cybercriminal ecosystem. Instead of piecing together fragments from malware samples and network telemetry, investigators gained direct access to the attackers’ toolkit, revealing a carefully engineered email relay network built from compromised cloud resources.
The discovery paints a troubling picture of modern cybercrime. Attackers are increasingly leveraging trusted cloud platforms to create resilient infrastructures capable of supporting large-scale phishing campaigns, spam distribution, credential theft operations, and potentially other malicious activities. The PCPJack case demonstrates how cloud services, designed to provide scalability and reliability for businesses, can be weaponized when security controls fail.
Hunt.io’s Discovery Reveals the Entire Operation
Security researchers at Hunt.io stumbled upon a command-and-control server that contained two publicly accessible directories. Unlike many investigations where analysts must reverse engineer malware and reconstruct attacker workflows, this case offered a complete blueprint.
The exposed directories contained a fully operational toolkit consisting of source code, deployment states, compiled binaries, scanning utilities, exploitation tools, and active command-and-control configurations. Researchers described the exposure as essentially discovering the operational handbook of the entire campaign.
Even more revealing was a deployment state file showing evidence of 230 successful compromises and malware deployments during a single operational run conducted in March 2026.
Such visibility into an active threat operation is rare. The exposed files provided insight not only into what the attackers were doing, but exactly how they were doing it, the tools they preferred, and the infrastructure management processes they had developed.
The Rise of PCPJack
PCPJack first attracted attention in April 2026 when security researchers from SentinelOne investigated a cloud-focused credential theft framework linked to the actor.
During that investigation, analysts noticed something unusual. PCPJack appeared to be actively disrupting infrastructure associated with TeamPCP, a separate cybercriminal group known for conducting software supply chain attacks.
This observation raised questions about the relationship between the two groups. They could be competitors fighting for control of compromised infrastructure. Alternatively, they may share resources while maintaining separate operational objectives. The available evidence remains inconclusive, but the overlap highlights the increasingly complex ecosystem of modern cybercrime groups.
Rather than functioning as isolated entities, many threat actors now operate within interconnected networks where infrastructure, tools, and access can be shared, rented, stolen, or contested.
Building an Email Relay Network from Compromised Cloud Servers
At the heart of the operation was a surprisingly efficient concept.
The attackers compromised cloud-hosted Linux servers and transformed them into SMTP relay nodes. Instead of sending malicious emails directly from their own infrastructure, they routed messages through hundreds of legitimate cloud-hosted systems.
This approach offers several advantages. Cloud-hosted IP addresses often enjoy stronger reputations than traditional criminal infrastructure. Messages originating from major cloud providers may initially evade filtering systems more effectively than traffic originating from known malicious networks.
The result was a distributed relay architecture spanning multiple continents and cloud providers, creating a resilient and scalable platform capable of supporting large-scale email operations.
Sliver and Chisel: The Core Components
The recovered toolkit revealed extensive use of two key technologies.
The first was Sliver, an increasingly popular open-source command-and-control platform used by both security professionals and threat actors.
The second was Chisel, a tunneling utility capable of creating encrypted communication channels between systems.
The attackers compiled Chisel binaries for multiple Linux architectures, including AMD64, ARM64, and x86 environments. Once deployed, the binaries were hidden using dot-prefixed filenames and stored under the path:
/var/tmp/.xs
Persistence mechanisms included cron jobs and systemd services, ensuring infected systems would automatically reconnect following reboots.
This level of operational maturity demonstrates that PCPJack was not conducting random experiments. The infrastructure was designed for reliability and long-term operation.
Automated Infrastructure Management at Scale
One of the most fascinating aspects of the operation was the automation framework managing compromised systems.
Deployment scripts continuously monitored active implants and assigned SMTP proxy ports using a deterministic algorithm based on MD5 hashes of Sliver beacon identifiers.
Each infected server received a unique and predictable port assignment. This eliminated the need for maintaining complex port registries while ensuring consistent routing across infrastructure updates.
The design reflects principles commonly seen in enterprise-scale software engineering. Ironically, many cybercriminal organizations now employ automation practices comparable to those used by legitimate DevOps teams.
The distinction lies not in technical sophistication but in intent.
Quality Control for Criminal Infrastructure
Perhaps the most revealing aspect of the campaign was the quality assurance process.
Before a compromised server could join the active relay network, it had to prove it could successfully communicate with Gmail’s SMTP infrastructure on port 587.
Servers that failed the test were immediately discarded.
This filtering process highlights the
The attackers were not simply collecting compromised machines. They were carefully curating a fleet of servers optimized for one specific purpose.
Later versions of the deployment framework removed certain verification and batching mechanisms, suggesting the operators were actively refining their techniques based on operational experience.
Continuous Monitoring and Self-Healing Capabilities
The infrastructure did not stop at deployment.
A dedicated Python utility named chisel_verifier.py operated continuously in the background, evaluating the health of active relay nodes every sixty seconds.
The script verified SMTP functionality, removed failing systems, tracked connectivity status, and enriched operational data with geolocation details, IP addresses, and autonomous system information.
Every five minutes, verified proxy lists were synchronized to a separate downstream server.
This architecture effectively created a self-healing network. Failed nodes were removed automatically while functional systems remained available for future operations.
Such automation significantly reduces operational overhead and allows attackers to maintain large infrastructures without constant manual intervention.
The Mystery of the Downstream Consumer
One of the most important questions remains unanswered.
Researchers confirmed that verified proxy information was continuously synchronized to another server. Someone was actively consuming those updated lists.
The intended purpose remains unknown.
Possibilities include spam distribution, phishing campaigns, credential harvesting operations, malware delivery, business email compromise attacks, or other forms of cybercrime.
The infrastructure itself strongly suggests email-based operations, but the exact payloads and campaigns remain hidden.
This uncertainty underscores a recurring challenge in threat intelligence. Investigators can often uncover infrastructure and tooling while still lacking visibility into final operational objectives.
Global Reach Without Specific Targeting
The compromised servers were spread across North America, Europe, and Asia.
Researchers found no evidence of industry-specific targeting or geographic preferences. Instead, victim selection appeared largely opportunistic.
Any cloud-hosted system capable of supporting email relay functionality represented a valuable asset.
This broad targeting strategy reflects a growing trend among cybercriminal groups. Rather than focusing exclusively on high-profile victims, attackers increasingly seek scalable infrastructure resources that can later support multiple criminal campaigns.
In this model, compromised systems become commodities rather than targets.
A Sophisticated Network Exposed by a Basic Security Failure
The most ironic aspect of the entire investigation is how it ended.
A threat actor capable of building a monitored, automated, distributed, self-healing infrastructure across three major cloud providers ultimately exposed the operation through a simple configuration mistake.
No advanced malware analysis was required.
No sophisticated law enforcement takedown occurred.
A publicly accessible directory lacking password protection provided investigators with everything they needed.
It serves as a reminder that operational security failures continue to be one of the greatest risks facing both defenders and attackers.
What Undercode Say:
The PCPJack operation demonstrates how cybercrime infrastructure is increasingly adopting enterprise-grade engineering principles.
The attackers did not merely compromise servers.
They created a managed platform.
This distinction matters because modern threat actors are evolving from individual hackers into infrastructure operators.
The use of cloud environments is especially significant.
AWS, Azure, and Google Cloud are trusted ecosystems.
Many organizations automatically place higher trust in traffic originating from these providers.
Attackers understand this perception.
Compromising cloud-hosted servers offers better reputation scores and improved delivery success.
The automation framework is perhaps the strongest indicator of maturity.
Health checks.
Deployment verification.
Automated synchronization.
Self-healing functionality.
All of these resemble modern DevOps pipelines.
The attackers treated their relay infrastructure like a production environment.
That approach dramatically increases operational efficiency.
The quality-control gateway is another important clue.
By testing SMTP functionality before accepting systems into the relay pool, PCPJack focused resources on infrastructure that directly supported business objectives.
This reduces waste.
It also improves campaign reliability.
The synchronization of verified proxies every five minutes suggests active downstream usage.
Infrastructure was not being stockpiled.
It was being consumed.
That implies ongoing operations.
Potentially large-scale ones.
The connection with TeamPCP adds another layer of intrigue.
Cybercriminal ecosystems increasingly resemble competitive marketplaces.
Groups compete for access.
They hijack one
Sometimes they collaborate.
Sometimes they sabotage rivals.
The boundaries between organizations are becoming less clear.
From a defensive perspective, this case highlights a growing challenge.
Cloud security remains heavily dependent on configuration management.
A single compromised workload can become part of a global criminal platform.
Organizations often focus on perimeter defenses while overlooking cloud workload monitoring.
Attackers know this.
The future threat landscape will likely feature even more cloud-native criminal infrastructures.
Automation tools will continue evolving.
Infrastructure management will become more resilient.
Detection will become harder.
Ironically, the most advanced threat operations may still be exposed by simple operational mistakes.
PCPJack serves as a perfect example.
Years of engineering effort.
Hundreds of compromised servers.
Sophisticated automation.
Global reach.
All uncovered because someone forgot to secure a directory.
Deep Analysis
Investigating Suspicious Persistence Mechanisms
systemctl list-unit-files | grep enabled
crontab -l
sudo ls -la /var/tmp/
Identifying Hidden Malware Files
find / -name "." -type f 2>/dev/null
find /var/tmp -type f -ls
Monitoring Active Network Connections
ss -tulpn
netstat -antp
Detecting Unauthorized SMTP Activity
tcpdump -i any port 587
grep "587" /var/log/ -R
Hunting for Suspicious Services
systemctl status
ps auxf
Checking Cloud Instance Integrity
journalctl -xe
last -a
who
Reviewing Open Ports
nmap localhost
lsof -i -P -n
✅ Hunt.io researchers reported discovering exposed directories containing malware binaries, deployment logs, source code, and command-and-control configurations. The evidence strongly supports the existence of an exposed operational toolkit.
✅ The recovered deployment state files reportedly confirmed approximately 230 successful deployments across cloud-hosted systems. Multiple artifacts recovered from the server support this conclusion.
✅ Researchers observed automated SMTP validation, proxy management, and synchronization mechanisms. The available technical evidence indicates the infrastructure was actively maintained and designed for long-term operational use.
❌ There is currently no publicly available proof confirming exactly how the verified SMTP relay network was ultimately used. Spam, phishing, and malware delivery remain plausible theories rather than confirmed outcomes.
Prediction
(+1) Cloud Infrastructure Abuse Will Continue Growing
Attackers will increasingly target cloud-hosted Linux workloads because they offer scalability, trusted network reputations, and global availability.
(+1) More Criminal Groups Will Adopt DevOps-Like Automation
Future cybercriminal operations will feature automated deployment pipelines, health monitoring, self-healing infrastructure, and cloud-native persistence mechanisms.
(+1) Cloud Security Monitoring Markets Will Expand
Organizations will invest heavily in runtime detection, workload monitoring, identity security, and cloud threat hunting as incidents like PCPJack become more common.
(-1) SMTP-Based Abuse Networks Will Become Harder to Detect
Distributed cloud relay systems will complicate traditional email security controls because malicious traffic will increasingly originate from trusted cloud environments.
(-1) Infrastructure Sharing Among Threat Actors Will Increase
Cybercriminal groups are likely to share, rent, or compete for cloud-based infrastructure, creating more complex attribution challenges for defenders and investigators.
(-1) Operational Security Failures Will Remain a Major Risk
Even sophisticated threat actors will continue exposing themselves through configuration mistakes, leaked credentials, misconfigured cloud resources, or unsecured management interfaces.
▶️ Related Video (68% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
