PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network

A previously tracked threat actor identified as PCPJack has compromised approximately 230 cloud-hosted servers distributed across Amazon Web Services, Google Cloud, and Microsoft Azure infrastructure to establish a covert Simple Mail Transfer Protocol relay network spanning multiple continents. The compromised servers, located across business environments in the United States, Europe, and Asia, have been systematically converted into SMTP proxies capable of forwarding email traffic while masking the true origin of messages. Hunt.io's threat intelligence team documented the infrastructure conversion and operational methodology, revealing that the hijacked instances undergo continuous synchronization with downstream consumers approximately every five minutes, suggesting an active and evolving criminal operation rather than a legacy or abandoned campaign. The discovery represents a significant infrastructure compromise affecting three major cloud providers simultaneously, underscoring vulnerabilities in cloud security postures across enterprise deployments worldwide.

The exploitation of cloud-hosted servers for email relay purposes reflects a longstanding cybercriminal activity that has intensified as traditional on-premises infrastructure becomes increasingly hardened against such abuse. SMTP relay hijacking enables threat actors to distribute spam, phishing campaigns, and malware propagation at scale while obscuring sender attribution through legitimate corporate email infrastructure. Historically, similar campaigns have leveraged misconfigured mail servers and unprotected instances, but the coordinated compromise of servers across three major cloud providers simultaneously demonstrates evolving sophistication in reconnaissance, lateral movement, and persistence techniques. This development emerges at a moment when cloud security remains uneven across enterprises, with many organizations maintaining insufficient monitoring of outbound connections and email transmission logs. The timing of this discovery also coincides with elevated scrutiny of cloud infrastructure hardening following previous high-profile breaches, making the persistence of such vulnerabilities particularly noteworthy for security teams evaluating their own cloud environments.

The scale and geographic distribution of the compromised infrastructure indicates organized operational planning rather than opportunistic exploitation. Hunt.io confirmed that the 230 compromised servers were systematically verified for mail relay capability before being integrated into the downstream network, demonstrating verification processes designed to ensure reliability of the criminal infrastructure. The five-minute synchronization cycle between compromised instances and consumer endpoints reveals active management and operational maturity, suggesting a sustained revenue model dependent on maintaining service availability and performance metrics. The geographic spread across three continents indicates either a coordinated multicontinental campaign or a sophisticated threat actor with reconnaissance capabilities enabling targeted server identification across diverse regions. The compromise of instances across AWS, Google Cloud, and Azure simultaneously suggests that exploitation vectors exploited common vulnerability classes or configuration weaknesses present across cloud provider implementations rather than provider-specific flaws.

For cybersecurity professionals responsible for cloud infrastructure defense, this campaign illustrates the critical necessity of implementing egress filtering and comprehensive email transmission monitoring regardless of cloud provider selection. Organizations cannot assume that cloud provider infrastructure isolation provides adequate protection against email relay abuse; threat actors who achieve initial compromise can establish outbound communication channels leveraging legitimate email services before detection occurs. The five-minute synchronization pattern means that detection windows for identifying compromised instances require monitoring granularity operating at intervals substantially shorter than typical alert thresholds in many enterprise security operations centers. The compromise of such a large server population without apparent widespread detection until Hunt.io's analysis suggests that many affected organizations may remain unaware of their infrastructure abuse for extended periods. Security teams should immediately audit outbound email connections from cloud instances, review IAM access logs for anomalous activities, and implement network segmentation preventing compromised application servers from directly accessing mail transport agents.

This operation exemplifies a broader pattern wherein cloud infrastructure has become a preferred target for establishing criminal infrastructure precisely because legitimate business activity masks malicious transmission. Unlike residential IP addresses, cloud provider IP ranges carry implicit credibility with email filtering systems, making cloud-based relay networks substantially more effective for bypassing spam filters and authentication mechanisms than traditional residential proxy networks. The compromise demonstrates that while cloud providers implement robust underlying infrastructure security, the shared responsibility model means that security posture depends critically on customer-side configuration, access control, and monitoring. The relatively high number of servers successfully compromised and maintained in operational status suggests that detection rates for this type of infrastructure abuse remain inadequate, leaving threat actors with substantial operational security margins. The incident also reflects ongoing gaps in cross-provider threat intelligence sharing, as the simultaneous compromise across three major providers was identified through external security research rather than coordinated provider detection and response.

Organizations utilizing AWS, Google Cloud, and Azure should prioritize implementation of additional detective controls during the remainder of the current quarter, with particular focus on identifying anomalous SMTP connections from application server instances. Cloud security monitoring should prioritize hunt.io's recommendations regarding outbound port 25 and 587 traffic analysis from instances typically running non-email services. Additionally, security teams should engage with their respective cloud providers' threat intelligence channels to determine whether their specific accounts have been associated with compromised instances, as AWS, Google Cloud, and Microsoft typically maintain abuse notification systems for customers whose infrastructure has been exploited. The identification of active synchronization occurring at five-minute intervals suggests that monitoring solutions implementing collection frequencies shorter than fifteen minutes may be necessary for timely detection and response. Following disclosure of this campaign, expect heightened cloud provider scrutiny of outbound email patterns and potential implementation of additional default restrictions on SMTP transmission from compute instances, particularly in regions where compromised infrastructure was most densely concentrated.