PCPJack Hijacks 230 Cloud Servers for Covert Email Relay

Robert Moore · 2026-06-05

A threat actor known as PCPJack has quietly taken over 230 cloud servers from Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. These servers were turned into a hidden SMTP email relay network. This means they were used to send spam and phishing emails without anyone knowing. According to Hunt.io, a cybersecurity firm that tracks threats, the attackers didn't just break in. They carefully checked each server to make sure it could relay email. Then, every five minutes, they synced the compromised machines to a central command point. This gave them a powerful and hard-to-detect tool for sending malicious messages. ### How the Attack Worked The hijacking wasn't random. PCPJack targeted business servers across the United States, Europe, and Asia. Once inside, they installed SMTP proxy software. This turned each server into a secret email sender. The network was designed to be resilient. If one server was found and shut down, dozens more were still running. Here's what made this attack so effective: - **Stealth**: The servers were used for normal business tasks too. So, the malicious activity blended in with regular traffic. - **Automation**: The five-minute sync cycle meant the network updated quickly. This made it hard for security teams to keep up. - **Global reach**: With servers on three continents, the attackers could send emails from anywhere. This helped them avoid spam filters. ### Why Cloud Servers Are Targets Cloud services like AWS, Google Cloud, and Azure are popular for a reason. They're powerful, scalable, and easy to set up. But that same convenience makes them a target for hackers. If a company doesn't secure its cloud instance properly, an attacker can take over. Think of it like leaving your front door unlocked. A thief can walk in, set up shop, and use your utilities without you ever knowing. In this case, the "utilities" are email sending capabilities. The hackers didn't need to build their own infrastructure. They just borrowed other people's. ### What This Means for You If you run a business that uses cloud servers, this is a wake-up call. You need to check your security settings. Make sure you have strong passwords, enable two-factor authentication, and monitor your server logs for unusual activity. The cost of a breach can be huge. Not just in money, but in reputation. For everyday users, this kind of attack means more spam and phishing emails in your inbox. Be extra careful with emails that ask for personal info or urge you to click a link. Even if the email looks like it's from a trusted source, double-check. ### How to Protect Your Cloud Servers Here are some simple steps to keep your cloud servers safe: - **Use strong, unique passwords** for every account. Don't reuse passwords across services. - **Enable two-factor authentication** (2FA) for all admin accounts. This adds an extra layer of security. - **Monitor your server logs** regularly. Look for strange IP addresses or unexpected connections. - **Keep your software updated**. Patches fix known vulnerabilities that hackers exploit. - **Limit access**. Only give server access to people who really need it. ### The Bottom Line The PCPJack attack shows how creative hackers can be. They turned 230 legitimate cloud servers into a covert email relay network. It's a reminder that security isn't just about protecting your own data. It's about making sure your resources aren't used to harm others. Stay vigilant. Keep your systems updated. And always question unexpected emails. A little caution can go a long way.