PCPJack Hijacks 230 Cloud Servers Across AWS, Azure, and Google Cloud to Build a Stealth SMTP Relay Grid
A threat actor quietly converted compromised business workloads on three major cloud platforms into a verified mail-relay network, refreshing its inventory every five minutes and burning victims' IP reputations in the process.

A Silent Hostile Takeover of Cloud Infrastructure
A threat actor tracked as PCPJack has assembled roughly 230 hijacked business servers, spread across AWS, Google Cloud, and Microsoft Azure, into a covert SMTP relay network designed to push spam and phishing email through some of the most trusted IP ranges on the internet.
Researchers at Hunt.io documented the campaign, identifying compromised workloads located in the United States, Europe, and Asia. The infrastructure functions like an assembly line. Each hijacked host gets scanned, verified for open mail-relay capability, and then fed to a downstream buyer on a five-minute refresh cycle. That buyer almost certainly a spam or phishing operator gets a continuous drip of clean, reputable IP addresses to send mail through.
The economics are ugly for everyone except PCPJack.
Why Cloud IPs Are Worth Stealing
Email sent from AWS, Google Cloud Platform, and Azure netblocks carries implicit trust. Reputation filters that would instantly trash traffic originating from known bulletproof hosting providers or residential proxy pools frequently pass cloud-origin mail without a second look. SPF, DKIM, and DMARC checks run against a legitimately provisioned cloud tenant often come back clean, because the underlying domain and IP records are real.
When abuse takedowns eventually arrive, they land on the victim's cloud account first. The actual operator has already rotated to the next batch of hijacked hosts. The breached business inherits the blocklist entry, the provider warning, and the remediation bill.
Verizon's 2024 Data Breach Investigations Report found that use of stolen credentials appeared in 77 percent of basic web application attacks, a figure that maps directly onto what Hunt.io observed here: exposed admin panels, weak or reused credentials, and misconfigured services on internet-facing cloud workloads. No single CVE is driving this. PCPJack appears to be exploiting the compounding effect of ordinary cloud hygiene failures.
Once inside a compromised instance, the actor installs or enables an SMTP relay component, then registers the host with a management backend. Fast, automated, and scalable.
What the Victims Actually Lose
The damage in this campaign is operational, not primarily personal-data-related. Affected businesses face unexpected egress charges on their cloud bills, degraded IP and domain reputation, and potential SMTP service disruption when providers act on abuse complaints.
Second-order victims are the recipients of the relayed mail, who are almost certainly being targeted with phishing or fraud campaigns riding on the borrowed legitimacy of major cloud providers.
Organizations with hosts in the EU or UK that had any personal data on compromised instances should be aware that GDPR Article 33 requires notifying the relevant supervisory authority within 72 hours of discovering a breach. U.S.-based tenants may face FTC scrutiny under unauthorized-access frameworks, and Australian organizations fall under the Office of the Australian Information Commissioner's Notifiable Data Breaches scheme.
The Control That Failed: Identity and Configuration Hygiene
PCPJack did not need a zero-day. The attack pattern Hunt.io documented relies entirely on human-scale failures: exposed management interfaces, credentials that were never rotated or were reused across services, and cloud workloads configured permissively enough to accept inbound connections they should never have seen.
This is a credential hygiene and cloud configuration problem at its core. Organizations running internet-facing workloads on any of the three major cloud platforms should treat open admin panels as a critical finding, not a low-priority to-do. Outbound SMTP on ports 25, 465, and 587 from compute instances that have no legitimate business sending mail should be blocked by default at the security group or VPC firewall level. That single control would have prevented these machines from being useful to PCPJack at all.
Password reuse across cloud service accounts, IAM users, and admin consoles remains one of the most exploited weaknesses in enterprise cloud deployments. Multi-factor authentication on every privileged identity is not optional at this threat level.
What Defenders Should Do Right Now
Hunt.io's findings point to a specific, actionable remediation checklist for any organization running workloads on public cloud.
Audit and Block Outbound Mail Paths
Review security group rules and VPC firewall policies for any compute instance that should not be sending email. Block outbound SMTP by default and require explicit approval for exceptions. Most business applications have no reason to originate mail directly from a cloud VM.
Rotate Credentials and Audit for Persistence
Any instance showing unexpected outbound mail traffic warrants immediate credential rotation for all associated IAM users and API keys. Check for unauthorized IAM accounts, scheduled tasks via cron or systemd units, and modifications to Postfix or sendmail configurations. These are the persistence mechanisms PCPJack relies on to maintain access after initial compromise.
Act on Abuse Notifications
AWS, Google Cloud, and Microsoft Azure each operate abuse reporting channels and send notifications when anomalous behavior is detected on tenant infrastructure. Many organizations route these to an unmonitored mailbox or dismiss them as noise. That is exactly the gap PCPJack exploits. Provider abuse notifications are often the earliest available signal of compromise.
Check Your Sender Reputation Before It Becomes a Crisis
Tools like Cisco Talos Intelligence and the Spamhaus Block List allow organizations to check whether their IP ranges or domains have already been flagged. Getting off a major blocklist typically takes days to weeks and requires demonstrated remediation evidence. Checking proactively costs nothing.
If your cloud egress bill spiked without a clear explanation, unauthorized SMTP relay activity is a realistic cause worth investigating.
The Training Gap Nobody Talks About
One dimension of this incident that gets overlooked: the admin credentials PCPJack abused almost certainly belonged to individuals who either set weak passwords, reused them, or configured cloud services without understanding the exposure they were creating. Security-awareness training that covers cloud account hygiene, credential management, and the real-world consequences of misconfigured services directly reduces the population of machines available to campaigns like this. Train2Secure's platform is built around exactly that kind of behavior change, not just checkbox compliance.
Cloud security is a shared responsibility. The provider secures the infrastructure. The tenant secures the configuration, the credentials, and the people who manage both. PCPJack is winning right now because too many tenants are losing their side of that bargain.
Review what your organization's cloud security obligations actually look like under the frameworks that apply to you at train2secure.com/standards.
How This Attack Could Have Been Prevented
- Enforce MFA on every cloud IAM account and rotate credentials on any workload exposed to the internet, eliminating the weak and reused passwords PCPJack depends on.
- Block outbound SMTP by default at the VPC or security group level, and build a process to act on cloud-provider abuse notifications before reputation damage compounds.
- Run security-awareness training that covers cloud account hygiene and misconfiguration risks, so the people managing your infrastructure understand the attack surface they control.
Train2Secure delivers scenario-based training built around real-world cloud and credential threats, helping teams recognize and fix the human-layer failures campaigns like PCPJack exploit.
Start free — no card requiredSources & further reading
Frequently asked questions
How did PCPJack gain access to cloud servers on AWS, Azure, and Google Cloud?
Hunt.io's analysis found no single CVE driving the campaign. Access appears opportunistic, using exposed admin panels, weak or reused credentials, and misconfigured internet-facing services rather than a novel exploit.
Why is it useful for phishing operators to send email from major cloud IP ranges?
Cloud providers like AWS, Google, and Azure maintain strong IP reputations. Mail originating from their netblocks often passes SPF, DKIM, and DMARC checks and is less likely to be filtered by reputation-based email security tools than traffic from known bulletproof or residential-proxy infrastructure.
Do affected businesses have regulatory notification obligations?
Potentially yes. EU and UK organizations must notify their supervisory authority within 72 hours under GDPR Article 33 if personal data was present on compromised hosts. U.S. businesses may face FTC scrutiny, and Australian organizations fall under the OAIC's Notifiable Data Breaches scheme.
What is the single fastest technical control to block this attack pattern?
Blocking outbound SMTP (TCP ports 25, 465, and 587) at the security group or VPC firewall level on any cloud workload with no legitimate mail-sending function removes those instances from PCPJack's usable inventory immediately.



