🚨 🪱 How PCPJack Converted 230 Compromised Cloud Servers into a Hidden SMTP Relay Network
The PCPJack threat actor compromised approximately 230 cloud servers and converted them into a hidden SMTP relay network. The attacker left their full deployment toolkit exposed in an open directory without authentication, enabling discovery and analysis. Indicators of compromise include a systemd service named xsync masquerading as a system sync utility, files located at /var/tmp/. xs, and Chisel reverse SOCKS5 tunnels operating on ports 10000-14999. The activity was detailed in a public blog post with MITRE ATT&CK mappings and HuntSQL queries for detection. No official patch or remediation guidance is provided in the available data.
AI Analysis
Technical Summary
PCPJack operated a large-scale compromise of cloud servers, repurposing them into a covert SMTP relay network to potentially facilitate spam or other email-based abuse. The attacker’s toolkit was inadvertently exposed on an open directory without authentication, revealing deployment methods and host indicators such as the xsync systemd service and Chisel tunnels. The threat was publicly disclosed via a Reddit post linking to a detailed Hunt.io blog analysis, which includes technical indicators and detection queries. There is no information about a specific vulnerability exploited or vendor remediation, indicating this is an operational compromise rather than a software flaw.
Potential Impact
The compromised cloud servers were used as a hidden SMTP relay network, which can be abused for sending spam, phishing, or other malicious email campaigns. This abuse can degrade the reputation of affected cloud providers and potentially facilitate further malicious activity. The exposure of the attacker’s toolkit may aid defenders in detection and response but does not mitigate the existing compromise. There is no indication of direct data theft or destruction from the provided information.
Mitigation Recommendations
No official patch or remediation guidance is available from the vendor or authoritative sources. Since this is an operational compromise, affected organizations should identify and isolate compromised servers using the provided indicators such as the xsync service, /var/tmp/.xs files, and Chisel tunnels on ports 10000-14999. Removing the attacker’s persistence mechanisms and conducting a thorough investigation is recommended. Monitoring for unusual SMTP relay activity is advised. Patch status is not yet confirmed — check the vendor advisory or source blog for current remediation guidance.
🚨 🪱 How PCPJack Converted 230 Compromised Cloud Servers into a Hidden SMTP Relay Network
Description
The PCPJack threat actor compromised approximately 230 cloud servers and converted them into a hidden SMTP relay network. The attacker left their full deployment toolkit exposed in an open directory without authentication, enabling discovery and analysis. Indicators of compromise include a systemd service named xsync masquerading as a system sync utility, files located at /var/tmp/. xs, and Chisel reverse SOCKS5 tunnels operating on ports 10000-14999. The activity was detailed in a public blog post with MITRE ATT&CK mappings and HuntSQL queries for detection. No official patch or remediation guidance is provided in the available data.
Reddit Discussion
PCPJack's operator left their full deployment toolkit exposed on an open directory, no authentication required. Host IOCs include /var/tmp/.xs, a systemd service named xsync masquerading as a system sync utility, and Chisel reverse SOCKS5 tunnels on ports 10000-14999. MITRE ATT&CK mapping and HuntSQL queries included.
👉 Full breakdown and IOCs here: https://hunt.io/blog/pcpjack-230-cloud-servers-smtp-proxy-network-sliver-chisel
Links cited in this discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PCPJack operated a large-scale compromise of cloud servers, repurposing them into a covert SMTP relay network to potentially facilitate spam or other email-based abuse. The attacker’s toolkit was inadvertently exposed on an open directory without authentication, revealing deployment methods and host indicators such as the xsync systemd service and Chisel tunnels. The threat was publicly disclosed via a Reddit post linking to a detailed Hunt.io blog analysis, which includes technical indicators and detection queries. There is no information about a specific vulnerability exploited or vendor remediation, indicating this is an operational compromise rather than a software flaw.
Potential Impact
The compromised cloud servers were used as a hidden SMTP relay network, which can be abused for sending spam, phishing, or other malicious email campaigns. This abuse can degrade the reputation of affected cloud providers and potentially facilitate further malicious activity. The exposure of the attacker’s toolkit may aid defenders in detection and response but does not mitigate the existing compromise. There is no indication of direct data theft or destruction from the provided information.
Mitigation Recommendations
No official patch or remediation guidance is available from the vendor or authoritative sources. Since this is an operational compromise, affected organizations should identify and isolate compromised servers using the provided indicators such as the xsync service, /var/tmp/.xs files, and Chisel tunnels on ports 10000-14999. Removing the attacker’s persistence mechanisms and conducting a thorough investigation is recommended. Monitoring for unusual SMTP relay activity is advised. Patch status is not yet confirmed — check the vendor advisory or source blog for current remediation guidance.
Technical Details
- Source Type
- Subreddit
- blueteamsec+AskNetsec+Information_Security
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:compromised","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["compromised"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a20575ae29bf47b50ce5b84
Added to database: 6/3/2026, 4:33:30 PM
Last enriched: 6/3/2026, 4:33:37 PM
Last updated: 6/3/2026, 5:52:32 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.