RESEARCHERS from Hunt.io revealed that a threat actor known as PCPJack created a 230-node cloud-based email relay network using servers from Amazon Web Services, Google Cloud, and Microsoft Azure. This discovery was made after PCPJack mistakenly left access to directories on a command-and-control server unprotected. The exposed files included a toolkit, source code, and logs detailing the operation's workings.
The PCPJack operation modified existing cloud servers equipped with an open-source command-and-control framework named Sliver, using techniques like Chisel tunneling. Compromised servers were configured to relay emails, with stringent checks to ensure email functionality. Hunt.io described the network as opportunistic, targeting business servers globally while raising concerns about how the operational infrastructure might be exploited for malicious activities. It remains unclear whether this network was run by individuals or shared among multiple groups.