PCPJack Hijacks 230 Cloud Servers for SMTP Relay

PCPJack Builds a 230-Server Covert SMTP Relay Network

PCPJack is a newly identified malware campaign that has quietly compromised at least 230 cloud servers across AWS, Google Cloud, and Azure. The goal is straightforward and alarming: turn legitimate cloud infrastructure into a covert SMTP relay network for sending spam, phishing emails, or other malicious payloads at scale. Because the traffic originates from trusted cloud IP ranges, it bypasses many conventional email security filters without triggering immediate alerts.

This is not theoretical. Attackers are actively using hijacked compute instances to relay email through infrastructure that carries reputational trust by default. Your cloud server could already be part of this network without any obvious signs in your application logs.

How PCPJack Compromises Cloud Instances

The attack chain typically begins with exposed or misconfigured services. Think SSH with weak credentials, publicly accessible management ports, or outdated software with known remote code execution vulnerabilities. Once inside, PCPJack installs a lightweight SMTP relay agent that listens for instructions from a command-and-control server.

The malware is designed to be low-noise. It limits outbound email volume per instance to avoid triggering cloud provider abuse detection systems. By spreading the load across hundreds of servers, the operators achieve significant sending capacity while each individual node stays under the radar. The relay component often runs as a disguised system process or a cron job that respawns after deletion.

Persistence mechanisms vary, but common techniques include modifying systemd unit files, writing to rc.local, and abusing cloud instance metadata services to retrieve updated payloads on reboot.

What Developers and DevOps Teams Are Actually Risking

Beyond the obvious reputational damage of having your IP ranges blacklisted, there are concrete technical consequences. Your cloud account can face suspension if the provider detects abuse originating from your instances. Egress costs spike unexpectedly as the relay processes thousands of outbound connections. Forensic investigation after the fact is expensive and time-consuming.

If your application relies on transactional email through your own SMTP configuration, a blacklisted IP range means your legitimate emails stop delivering. That breaks password resets, order confirmations, and alerting pipelines. The downstream impact on users is immediate and measurable.

For teams running multi-tenant SaaS products, a compromised instance in a shared VPC can become a pivot point for lateral movement. PCPJack is primarily an SMTP relay tool, but the same access that installs it can be used to deploy additional payloads later.

How to Detect and Harden Against PCPJack

Start with network monitoring. Unusual spikes in outbound port 25, 465, or 587 traffic from instances that have no business sending email are the clearest signal. Set up alerts in your cloud provider's network flow logs for exactly this pattern.

Audit your exposed attack surface now. Disable SSH password authentication and require key-based login. Lock down security groups so management ports are not publicly accessible. Use your provider's vulnerability scanning or run a DAST scan on your web-facing infrastructure to identify exploitable entry points before attackers do.

Review running processes and scheduled tasks on all compute instances. Look for unfamiliar cron entries, systemd services with generic names, or processes spawning outbound network connections. Tools like auditd and eBPF-based monitoring help catch process-level anomalies in real time.

Rotate credentials regularly and enforce the principle of least privilege on all IAM roles attached to cloud instances. An instance that only serves HTTP traffic has no reason to have permissions to create new compute resources or access S3 buckets outside its scope.

Check our blog on cloud misconfiguration risks for a deeper look at how attackers exploit overly permissive setups.

What ports does PCPJack use for SMTP relay traffic? PCPJack primarily uses ports 25, 465, and 587. Monitor outbound traffic on all three from any instance not explicitly configured as a mail server.

How do I know if my cloud server is already compromised? Check for unfamiliar cron jobs, new systemd services, and unexpected outbound network connections. Review your cloud provider's VPC flow logs for abnormal egress patterns to external IP ranges on SMTP ports.

Does enabling cloud provider default security settings protect against PCPJack? Default settings reduce exposure but are not sufficient. Actively restrict security group rules, disable password-based SSH, and monitor network flows continuously. Default configurations often leave management ports open or allow overly broad outbound traffic.

Scan your cloud-connected web infrastructure for exposed attack surfaces at VibeWShield.