Ethical Hacking News
A notorious threat actor known for its involvement in software supply chain attacks has been linked to a covert SMTP email relay network that has hijacked cloud servers associated with major cloud providers. This latest development highlights the ever-evolving nature of cybersecurity threats and the need for organizations to remain vigilant against such attacks.
PCP Jack has been linked to a covert SMTP email relay network that hijacked cloud servers from AWS, Google Cloud, and Microsoft Azure. The compromised servers were converted into SMTP proxies and synced with a downstream consumer every five minutes. Threat actor PCP Jack left open directories on its command-and-control (C2) server, providing valuable insights into its tactics. Sliver framework played a crucial role in the operation, facilitating deployment of tools for establishing connections with compromised servers and C2 server. The beacon mechanism was a key component, allowing PCP Jack to communicate with its beacons periodically. PCP Jack's adaptability in exploiting vulnerabilities using SMTP proxies is highlighted by this discovery.
PC Jack, a notorious threat actor known for its involvement in software supply chain attacks, has been linked to a covert SMTP email relay network that has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. This latest development highlights the ever-evolving nature of cybersecurity threats and the need for organizations to remain vigilant against such attacks.
According to threat intelligence company Hunt.io, PCPJack compromised business servers across various regions, including the U.S., Europe, and Asia, which were then converted into SMTP proxies. The compromised servers were verified for mail relay capability and synced with a downstream consumer every five minutes. This indicates that PCPJack's goal was not only to hijack these servers but also to create a covert network that could be used for malicious purposes.
The threat actor behind this operation left two open directories on the command-and-control (C2) server, which provided Hunt.io with valuable insights into PCPJack's tactics. The company discovered source code, compiled binaries, deployment state logs, internet scanners, exploitation tooling, and a live Sliver configuration. These findings provide a comprehensive understanding of how PCPJack was able to set up its SMTP relay network.
Sliver, an open-source framework used for creating custom C2 servers, played a crucial role in this operation. The framework is designed to facilitate the deployment of tools such as Chisel tunneling and proxy binaries across various Linux CPU architectures. These tools are used to establish connections between compromised servers and the C2 server, allowing PCPJack to communicate with its beacons.
The beacon mechanism was a key component of PCPJack's strategy. Beacons are implants that periodically check in with the C2 server at regular intervals to retrieve commands. Each beacon is assigned a SOCKS5 proxy port derived from an MD5 hash of its Sliver UUID, mapped into the range 10000-14999. This ensures consistency across different runs, eliminating the need for a shared port registry.
The use of SMTP proxies and beacons highlights PCPJack's adaptability in exploiting vulnerabilities. By leveraging compromised cloud servers, the threat actor was able to create a covert network that could be used for malicious purposes. The fact that PCPJack removed some of its tools and scripts suggests an ongoing effort to improve and refine its tactics.
The recent discovery of PCPJack's SMTP relay network serves as a reminder to organizations to maintain robust security measures, including regular monitoring and patching of their systems. It also underscores the importance of staying informed about emerging threats and tactics used by threat actors like PCPJack.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Covert-SMTP-Relay-Network-Hijacked-by-PCPJack-Threat-Intelligence-Report-ehn.shtml
https://thehackernews.com/2026/06/pcpjack-hijacks-230-aws-google-cloud.html
https://hivepro.com/threat-advisory/pcpjack-hijacks-vulnerable-servers-with-worm-like-cloud-propagation-tactics/
https://attack.mitre.org/techniques/T1218/
https://cyberbuff.github.io/TheAtomicPlaybook/tactics/defense-evasion/T1218.html
Published: Fri Jun 5 01:26:58 2026 by llama3.2 3B Q4_K_M
