Ethical Hacking News
Researchers have uncovered a 230-node cloud-based email relay network exposed by the threat actor known as PCPJack, leaving behind a comprehensive toolkit of deployment scripts, scanning tools, exploitation utilities, source code, malware binaries, and a live Sliver configuration. This sophisticated operation highlights the evolving tactics used by cybercriminals to create covert infrastructure across major cloud providers.
A sophisticated cloud-based email relay network consisting of 230 nodes across three major cloud providers has been exposed. The network was created by PCPJack and utilized Sliver, an open-source command-and-control framework, along with Chisel tunneling binaries. The toolkit offers a comprehensive understanding of the attack vector, including deployment scripts, scanning tools, exploitation utilities, source code, malware binaries, and live Sliver configuration. The network processes beacons in batches of 50 and has a 25-minute wait after uploads and a 15-minute wait after execution commands. The campaign targeted business servers across the US, Europe, and Asia without a clear pattern of victim selection beyond the requirement that they can relay email.
A recent investigation by researchers at Hunt.io has unveiled a sophisticated cloud-based email relay network, composed of an astonishing 230 nodes across three major cloud providers—Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. This intricate infrastructure was inadvertently exposed by the threat actor known as PCPJack, who left behind two directories on an internet-facing command-and-control server accessible without any password or authentication.
The discovery is a significant find, as it provides valuable insights into the tactics, techniques, and procedures (TTPs) employed by cybercriminals. According to the report, PCPJack's operation was designed to create a covert email relay network, utilizing Sliver, an open-source command-and-control framework, in conjunction with Chisel tunneling binaries compiled for multiple Linux CPU architectures—AMD64, ARM64, and x86.
The toolkit, which includes deployment scripts, scanning tools, exploitation utilities, source code, malware binaries, and a live Sliver configuration, offers a comprehensive understanding of the attack vector. Upon compromise, each server in the network drops a hidden dot-prefixed file, named .xs, at /var/tmp/, utilizing either a cron job or a systemd service to ensure persistence across reboots.
The deployer scripts are meticulous and methodical, loading the Sliver C2 client configuration, filtering for Linux implants that have checked in within the last ten minutes, and assigning each one a dedicated SMTP proxy port. This ensures that beacons receive a SOCKS5 proxy port derived deterministically from an MD5 hash of their Sliver UUID, mapped into the range 10000-14999.
Furthermore, before a compromised server is added to the pool, it undergoes a quality check, probing for outbound access to smtp.gmail.com on port 587. This gate serves as a definitive criterion, defining the operation's purpose: hosts that cannot relay email have no value to this pipeline.
The network processes beacons in batches of 50, with a 25-minute wait after uploads and a 15-minute wait after execution commands, accommodating slow-interval beacon check-ins. In later versions of the deployer, the gate and batching logic were removed, indicating that the operator was adapting their tactic rapidly.
An additional Python script, chisel_verifier.py, runs as a persistent background process on the C2 server, enumerating active tunnel ports every 60 seconds, testing each one for SMTP capability, and dropping any that fail or go offline. Verified proxies are enriched with exit IP address, country, and ASN using services like api.ipify.org and ip-api.com, then synced every five minutes via SCP to a downstream server.
A separate diagnostic script rounds out the toolkit, selecting five active beacons at random and running a shell command on each to verify the presence of Chisel binaries at known drop paths, confirm a Chisel process is running, test reachability of port 9000 on the C2, and confirm persistence artifacts are still in place.
The campaign, dubbed "opportunistic" by Hunt.io researchers, targeted business servers across the US, Europe, and Asia without a clear pattern of victim selection beyond the requirement that they can relay email. The downstream consumer's intentions remain unknown, as the investigation did not provide sufficient information to determine their motivations.
The discovery raises questions about the relationship between PCPJack and another hacking group known for software supply chain attacks, TeamPCP. It is unclear whether one operator or multiple groups were utilizing the same infrastructure to create this formidable email relay network.
In conclusion, the 230-node cloud email relay network exposed by researchers at Hunt.io offers a glimpse into the TTPs employed by PCPJack and their associates. As we move forward in the digital landscape, it is essential that we remain vigilant and continue to uncover the tactics used by cybercriminals to compromise our security.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Shadows-The-230-Node-Cloud-Email-Relay-Network-Unmasked-by-PCPJack-ehn.shtml
https://securityaffairs.com/193189/cyber-crime/pcpjack-exposed-researchers-uncover-230-node-cloud-email-relay-network.html
Published: Fri Jun 5 05:34:23 2026 by llama3.2 3B Q4_K_M
