Listen to this Post
Introduction: A Quiet Infrastructure War Hidden Inside Trusted Cloud Systems
The operation attributed to the threat actor known as PCPJack reveals a disturbing evolution in cloud abuse, where legitimate enterprise infrastructure becomes the backbone of covert communication networks. Instead of relying on traditional botnets or noisy malware campaigns, the actor systematically compromised servers across major cloud providers including Amazon Web Services, Google Cloud, and Microsoft Azure, converting them into a distributed SMTP relay system designed for stealth and scale. The discovery by researchers at Hunt.io paints a picture of an infrastructure that was not only operational but continuously synchronized, optimized, and consumed in near real time, suggesting a mature and production-level abuse pipeline rather than an experimental intrusion.
Core Summary: How PCPJack Turned Cloud Servers Into a Global Email Relay Fabric
The PCPJack campaign represents a highly structured cloud compromise chain in which infected business servers were quietly transformed into SMTP proxy nodes capable of relaying email traffic through legitimate cloud environments. These servers, distributed across the United States, Europe, and Asia, were verified for mail relay capability and then continuously synchronized to downstream systems every five minutes. This automation ensured that only functional nodes remained in the active pool, effectively creating a self-healing proxy mesh. The infrastructure remained active even during discovery, indicating strong operational discipline and ongoing usage. Analysts found that the system was not static malware but an evolving pipeline integrating deployment scripts, beacon filtering logic, and proxy validation routines that together formed a resilient email relay network designed to evade detection while supporting large-scale outbound communication tasks.
Entry Point Discovery: The Mistake That Exposed the Operation
The turning point in the investigation came when PCPJack exposed two unsecured directories on a command-and-control server located at 213.136.80[.]73. Inside, researchers uncovered a rare operational snapshot including source code, compiled binaries, deployment logs, exploitation utilities, internet scanning modules, and a live Sliver configuration tied to the framework used in the campaign. The exposure of these directories provided an unprecedented look into the actor’s internal workflow. Instead of fragmented malware artifacts, investigators were able to reconstruct the entire operational chain, from initial compromise to proxy validation and synchronization. This kind of exposure is uncommon in mature threat operations and typically indicates either operational negligence or rapid infrastructure turnover under pressure.
Cloud Credential Theft and Strategic Targeting Model
According to earlier research from SentinelOne, PCPJack was first identified in April 2026 through a credential theft framework specifically engineered to target cloud environments. The malware did not simply harvest credentials but actively attempted to terminate competing processes and remove artifacts linked to other known threat ecosystems such as TeamPCP. This behavior suggests an intent not only to infiltrate but to dominate compromised environments. By clearing competing infections and maintaining exclusive control over cloud workloads, PCPJack ensured uninterrupted access to compute resources that could be repurposed for proxy infrastructure and email relay abuse.
Sliver Integration and Multi-Architecture Deployment Strategy
One of the most technically sophisticated elements of the campaign was its integration with the Sliver command-and-control framework. The toolkit embedded SMTP proxy deployment logic alongside Chisel tunneling utilities and multi-architecture binaries compatible with AMD64, ARM64, and x86 systems. Once deployed, the payload was hidden as a dot-prefixed file in Linux environments and persisted at /var/tmp/.xs, blending into standard system behavior. This design ensured persistence across reboots and reduced the likelihood of immediate detection. The modular structure allowed operators to deploy the same infrastructure across heterogeneous environments without rewriting core components.
Beacon Management and Deterministic Proxy Allocation
The system introduced a highly structured beacon management model where infected nodes, known as implants, periodically checked in with the C2 server. Each beacon was assigned a SOCKS5 proxy port derived from an MD5 hash of its Sliver UUID, mapped consistently within the 10000 to 14999 range. This deterministic mapping eliminated the need for centralized tracking while ensuring consistent routing behavior across sessions. Even after restarts, the same node would always resolve to the same proxy port, effectively creating a stable identity system for compromised hosts within the network.
SMTP Validation and Infrastructure Filtering Logic
A key innovation in the campaign was the SMTP “quality gate” mechanism, which actively tested whether compromised hosts could communicate with smtp.gmail[.]com on port 587. Systems that failed this validation were immediately excluded from the relay pool, ensuring that only fully functional email-capable nodes were retained. This filtering process reveals the operational intent of the infrastructure: it was not about infection volume but about functional output. Only servers capable of sending real outbound email traffic were considered valuable, reinforcing the idea that the system was optimized for spam, phishing, or bulk messaging operations.
Evolution of Deployment Logic and Operational Maturity
Over time, researchers observed that newer versions of the deployment scripts removed earlier SMTP validation checks and batching constraints. This evolution suggests rapid iteration in response to operational needs or environmental feedback. Additional diagnostic tools were introduced to monitor Chisel tunnel health, verify persistence mechanisms, and check system integrity across compromised hosts. These tools tested disk usage, process existence, port availability, and persistence artifacts such as cron jobs and systemd services. The sophistication of these checks indicates a system transitioning from experimental deployment to industrial-scale infrastructure management.
Proxy Verification and External Intelligence Enrichment
The infrastructure also incorporated external validation mechanisms using services such as api.ipify[.]org and ip-api[.]com to enrich proxy nodes with geographic and network-level metadata. Each verified proxy was annotated with exit IP address, country, and autonomous system number, enabling more precise routing and abuse targeting. This enriched dataset was then synchronized every five minutes via SCP to an external server at 38.242.204[.]245. The destination server is currently offline, but historical evidence suggests it functioned as a consumption endpoint for the proxy network, likely used for downstream operations such as spam delivery or phishing campaigns.
Scale and Operational Uncertainty of the Network
At its peak, the system reportedly managed over 230 active nodes, forming a distributed proxy fabric embedded within legitimate cloud environments. However, researchers emphasize that the true intent remains uncertain. Whether this infrastructure was operated by a single actor refining their toolkit or multiple groups leveraging shared components cannot be definitively determined. What is clear is that the system was actively consumed, indicating real-world usage. The combination of automation, validation, and continuous synchronization points to an operational goal focused on scalable communication abuse rather than simple infiltration.
What Undercode Say:
Analytical Breakdown of Cloud Abuse Architecture and PCPJack Behavior Patterns
The operation demonstrates a shift from malware infection to infrastructure repurposing
Cloud providers are being used as hidden relays rather than direct targets
SMTP validation shows functional optimization rather than opportunistic compromise
The use of Sliver indicates professional-grade red-team tooling repurposed for abuse
Deterministic port mapping reduces operational overhead significantly
Persistence at /var/tmp/.xs indicates Linux-focused long-term infection strategy
Multi-architecture support suggests global targeting scope
Beacon filtering within 10-minute windows implies real-time operational control
Chisel integration reveals tunneling-based stealth design
Removal of batching logic suggests adaptive optimization
SMTP gating removal indicates shift toward broader relay acceptance
Proxy enrichment shows monetization or resale intent
Cloud credential theft aligns with infrastructure hijacking objectives
Competing process termination suggests exclusivity enforcement
SCP synchronization indicates centralized downstream consumption
External IP intelligence APIs show operational refinement
Use of cron/systemd persistence indicates system-level embedding
Server exposure suggests operational security failure
C2 structure reflects modular attack pipeline design
Beacons act as autonomous proxy agents
Infrastructure resembles microservices architecture but malicious
Email relay focus suggests spam or phishing economy integration
Geographic distribution reduces detection probability
Cloud abuse reduces infrastructure cost for attacker
Proxy rotation likely supports anonymity services
MD5-based mapping is predictable but efficient
Lack of authentication in exposed directories indicates operational oversight
Continuous sync suggests live commercial usage
Proxy verification ensures high deliverability rate
System likely supports downstream cybercrime ecosystems
Observed evolution indicates active developer maintenance
Architecture could be reused by multiple threat actors
Cloud trust model is primary exploited weakness
SMTP port 587 targeting indicates legitimate protocol abuse
Linux dominance reflects server-side exploitation focus
C2 segmentation increases resilience
Script-based automation reduces human intervention
Infrastructure is more similar to SaaS than malware
Abuse scalability suggests industrial cybercrime model
Overall system represents convergence of cloud abuse and proxy monetization
Verification of Technical Claims and Infrastructure Behavior
✅ Sliver is a known C2 framework used in penetration testing and adversarial simulations
❌ No confirmed public attribution proving PCPJack is a single, identified individual operator
❌ Exact downstream usage of the proxy network (spam vs phishing) remains unverified
Infrastructure Assessment Accuracy
✅ Cloud hijacking for proxy and relay abuse is a documented cybercrime pattern
❌ The full scale of 230 nodes cannot be independently validated outside vendor reporting
Tooling and Methodology Validation
✅ Chisel tunneling and SMTP relay abuse techniques are widely observed in real attacks
Prediction
(+1) Expansion of Cloud-Based Proxy Abuse Networks
The continued reliance on cloud infrastructure suggests future campaigns will scale further into multi-cloud environments, increasing resilience and anonymity for attackers.
(+1) Increased Automation in SMTP Abuse Pipelines
Automation scripts like beacon filtering and proxy verification are likely to become standard in cybercrime toolkits, improving efficiency of large-scale email abuse.
(-1) Higher Detection Rates Due to Operational Leakage
Exposure of open directories and C2 artifacts increases the likelihood of rapid disruption by security researchers and cloud providers.
Deep Analysis
Linux-Based Investigation and Incident Response Commands
Detect suspicious hidden persistence files find /var/tmp -type f -name "."
Inspect active network listeners (Chisel/SMTP tunnels)
ss -tulpn
Check cron-based persistence
crontab -l ls -la /etc/cron
Monitor suspicious processes
ps aux | grep -E "chisel|sliver|smtp"
Analyze outbound SMTP connectivity
nc -vz smtp.gmail.com 587
Track unusual outbound traffic
tcpdump -i eth0 port 587 or port 10000-15000
Review systemd persistence units
systemctl list-units --type=service --state=running
Infrastructure Interpretation Layer
The PCPJack architecture behaves less like traditional malware and more like a distributed backend service. It demonstrates cloud-native thinking applied in reverse, where attackers replicate enterprise orchestration patterns to manage compromised machines as scalable API-driven resources. The combination of Sliver beacons, deterministic routing, and continuous proxy validation suggests a system optimized for uptime, reliability, and throughput rather than stealth alone.
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
