PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network

PCPJack, a threat actor, has compromised approximately 230 servers across AWS, Google Cloud, and Microsoft Azure to establish a hidden SMTP relay network. The hijacked infrastructure spans the U.S., Europe, and Asia, with compromised business servers converted into SMTP proxies without detection.

According to Hunt.io, the attackers verified each server's mail relay capability and synchronized the list to downstream consumers every five minutes. This setup enables PCPJack to send high-volume spam or phishing campaigns while masking the true origin of messages. Cloud providers and their customers become unwitting participants in the distribution infrastructure.

The attack targets cloud environments across all three major providers, indicating PCPJack operates with broad technical capability and persistence. The five-minute sync interval suggests active, continuous management of the relay network, allowing attackers to quickly replace compromised servers as they are detected and remediated.

Organizations face dual risk here. Those running unpatched or poorly configured instances on these platforms may serve as entry points for attackers. Cloud customers whose servers were compromised now carry reputational damage and potential legal liability if their infrastructure facilitates spam or phishing targeting third parties. Email systems that rely on IP-based reputation filtering may struggle to distinguish legitimate traffic from malicious relay activity.

The attack highlights cloud infrastructure's vulnerability when security controls remain inadequate. Default credentials, unpatched vulnerabilities, and insufficient network segmentation create pathways for hijacking. Organizations should immediately audit their cloud security posture, enforce strict IAM policies, implement network monitoring for unusual outbound SMTP connections, and review server configurations for unauthorized mail relay settings.

The incident also underscores why cloud providers benefit from aggressive threat intelligence sharing and rapid security updates. PCPJack's operation demonstrates that relay networks remain profitable attack infrastructure despite modern email authentication standards like SPF, DKIM, and DMARC. Defenders must