216.73.217.176

PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network

· Published 03/06/2026 17:43 · Modified 04/06/2026 09:09

Export JSON

Essential information

Published
03/06/2026 17:43
Modified
04/06/2026 09:09
Tags
2026-06-03 chisel cloud compromise pcpjack proxy network sliver smtp relay teampcp
Related entities
1 vulnerabilities (cve), 2 observables, 1 intrusion sets (apt), 12 techniques (mitre), 2 malware

Description

operators compromised 230 cloud Linux servers across AWS, GCP, and Azure to build a covert network for email-based attacks. Researchers discovered exposed directories on infrastructure at 213.136.80[.]73 containing complete deployment toolkits including binaries, Python deployers, and operational state files. The campaign deployed C2 beacons and established reverse SOCKS5 tunnels on compromised hosts, testing each for capability. Three deployment versions showed operational evolution from 50 to 230 nodes, with verified proxies synchronized every five minutes to a downstream aggregation server. The operation targeted cloud-hosted web applications, exploiting them to gain initial access, then establishing persistence through systemd services and cron jobs disguised as system utilities. Victims included small to medium businesses across multiple regions running containerized and traditional workloads.

External references