PCPJack's 230-Server SMTP Relay Network Exposes Multi-Cloud Credential Compromise at Scale
The PCPJack threat actor has compromised approximately 230 servers across AWS, Google Cloud, and Azure to establish a covert SMTP relay network for sending spoofed or spam emails. The campaign reflects systemic credential theft and weak access controls across major cloud providers.
Affected
PCPJack has compromised at least 230 cloud-hosted instances across three major providers to build a distributed SMTP relay network. The servers, spanning the U.S., Europe, and Asia, were systematically configured as mail proxies and validated for relay capability before being registered into a live infrastructure. The five-minute sync interval suggests automated deployment and inventory management, indicating operational maturity.
The technical pattern here is straightforward but effective: stolen or weak credentials grant initial access to cloud accounts; lateral movement or privilege escalation enables instance takeover; SMTP services are misconfigured or exposed; the compromised infrastructure is enrolled into a downstream relay pool for spam, phishing, or extortion. The multi-region, multi-provider nature suggests either widespread credential leakage, commonplace misconfigurations across cloud deployments, or targeted spear-phishing of cloud administrators.
Defenders must recognise that this attack bypasses network perimeter defences entirely. Cloud instances require only valid credentials or API keys, neither of which trigger traditional firewall alerts. The SMTP relay abuse compounds the problem: recipient organisations will see legitimate-appearing cloud IP ranges in their mail logs, making reputation filtering less effective. Enterprise security teams often lack real-time visibility into which instances their cloud subscriptions are running or what services they expose.
Organisations using AWS, GCP, or Azure should immediately audit active instances for unauthorised SMTP listeners, review IAM credentials for evidence of compromise, and implement network policies restricting outbound port 25 and 587 traffic. Cloud providers should enforce stricter defaults around SMTP relay permissions and provide better anomaly detection on compute instance provisioning and network traffic patterns. The fact that 230 instances remained undetected long enough to be synced into a live relay network suggests detection gaps in cloud monitoring that this campaign has exploited.
The broader implication is that cloud infrastructure abuse has become a more attractive target than traditional data centre compromise. Ephemeral instances, weak credential hygiene, and the assumption that cloud = secure have created a permissive environment for relay networks, botnet nodes, and cryptocurrency mining farms. Until cloud security practices mature beyond perimeter thinking, expect this pattern to scale.
Sources