PCPJack's 230-Server Cloud Hijack Exposes Systemic SMTP Relay Networks and Supply-Chain Vulnerabilities

The PCPJack operation, which quietly converted 230 compromised AWS, Google Cloud, and Azure instances into a synchronized SMTP proxy mesh, represents more than opportunistic abuse—it signals a maturing playbook for turning public cloud infrastructure into deniable relay fabrics. Hunt.io's discovery of open directories on 213.136.80[.]73 revealed Sliver-integrated deployers, deterministic SOCKS5 port mapping via MD5 hashes, and chisel_verifier.py daemons that prune non-functional tunnels every 60 seconds. Yet the coverage understates how this builds directly on TeamPCP's credential-harvesting framework first detailed by SentinelOne in April 2026, where the same actors demonstrated automated process termination to evade detection on Linux hosts. What original reporting missed is the operational convergence with documented supply-chain campaigns: the /var/tmp/.xs persistence and cron/systemd artifacts mirror techniques seen in prior hosting exploitation waves targeting European and Asian business tenants. Cross-referencing with prior incidents, such as the 2025 Azure relay abuses tracked in Mandiant's M-Trends report and AWS hijack patterns in Unit 42's Cloud Threat Report, shows a pattern of batch-processing beacons in groups of 50 with 25-minute dwell windows to match slow check-in cycles. This creates resilient, self-healing proxy lists synced via SCP every five minutes to downstream nodes like 38.242.204[.]245—ideal for spam, phishing, or covert exfiltration that blends into legitimate cloud egress. The removal of SMTP quality gates in later script iterations suggests rapid iteration toward broader utility, potentially enabling state-adjacent actors to launder traffic across sovereign boundaries without owning hardware. Geopolitically, the U.S.-Europe-Asia distribution raises risks of infrastructure weaponization amid escalating hybrid threats, where misconfigured cloud tenants become force multipliers for information operations rather than isolated criminal spam rings.