PCPJack: Cloud Worm Builds Covert SMTP Relay Network

Key Takeaways

• SentinelOne published a technical analysis of PCPJack on May 7, 2026, documenting a modular credential theft framework that propagates worm-like across exposed cloud infrastructure by exploiting five high-severity vulnerabilities affecting Next.js, WordPress plugins, and CentOS Web Panel [1].
• PCPJack harvests credentials from more than 30 cloud, developer, and financial service categories—including AWS Instance Metadata Service tokens, Kubernetes service accounts, GitHub tokens, HashiCorp Vault secrets, OpenAI and Anthropic API keys, Stripe keys, and cryptocurrency wallets—then exfiltrates them through Telegram using X25519 ECDH key exchange and ChaCha20-Poly1305 authenticated encryption [1][2].
• A concurrent investigation by hunt.io revealed that PCPJack operators built a 230-node covert SMTP relay network spanning AWS, Google Cloud, and Microsoft Azure, verifying each compromised server’s email relay capability through a full EHLO and STARTTLS handshake before enrolling it into a synchronizing proxy pool [3].
• PCPJack systematically removes artifacts associated with TeamPCP, a competing threat actor whose cloud-targeting campaigns date to December 2025, suggesting either a rival group or a former operator with intimate knowledge of the group’s tooling and naming conventions [1][4].
• PCPJack’s dual-phase design—credential theft plus persistent relay infrastructure—illustrates how cloud-targeting criminal operations may be evolving beyond opportunistic resource theft toward coordinated, multi-phase campaigns; defenders should evaluate their threat models accordingly.

Background

Cloud-hosted Linux servers have become a preferred target for financially motivated threat actors running credential theft campaigns because they combine always-on availability, high outbound bandwidth, and credentialed access to dozens of downstream services in a single compromised host. Where earlier cloud attack tooling—groups such as Rocke, Kinsing, and TeamTNT—focused primarily on cryptocurrency mining using stolen compute, documented campaigns increasingly prioritize credential exfiltration, reflecting the high downstream value of cloud credentials compared to the compute revenue a compromised host can generate. A single stolen AWS Instance Metadata Service token may unlock access to source code repositories, payment processors, and cloud storage under the permissions attached to the compromised instance’s IAM role, creating an incentive structure that credential-focused tooling like PCPJack is designed to exploit.

PCPJack represents a maturation of this credential-focused threat model. SentinelOne’s analysis, published May 7, 2026, describes a modular Python framework built around an orchestrating bootstrap script that downloads and executes purpose-built credential theft modules from a compromised AWS S3 bucket used as a staging server [1]. The framework’s name derives from its relationship with TeamPCP, a cloud-targeting criminal group whose credential-theft campaigns against Docker, Kubernetes, and web application infrastructure began in December 2025. PCPJack specifically identifies systems already compromised by TeamPCP, removes the competing actor’s artifacts, and overwrites access with its own implants—a competitive displacement operation that SentinelOne analysts describe as potentially the work of a former TeamPCP operator with deep familiarity with the group’s tools and naming patterns [1][4].

Discovery occurred on April 28, 2026, when a PCPJack sample surfaced on VirusTotal, triggering SentinelOne’s analysis of the broader campaign infrastructure [1]. A concurrent investigation by hunt.io into suspicious Chisel proxy deployments across enterprise cloud hosts independently uncovered the SMTP relay operation and traced it to the same threat actor through shared infrastructure fingerprints, including a custom “OpenClaw CA” certificate authority appearing across multiple command-and-control IP addresses hosted by Contabo in France, RACK SPHERE HOSTING in the Netherlands, and a Finnish provider [3]. An earlier connection to the threat cluster appeared in February 2026, when the same group was linked to a supply chain compromise involving Aqua Trivy [1].

Security Analysis

Worm Architecture and Initial Compromise

PCPJack is not a self-contained binary. Its modular design begins with bootstrap.sh, an initial access script that establishes a foothold on an exposed server and then retrieves the framework’s operational components—propagation module, credential harvester, and lateral movement tools—from attacker-controlled staging infrastructure hosted on a compromised AWS S3 bucket [1]. Staging the payloads externally rather than bundling them means that individual components can be updated or replaced without redeployment of the bootstrap tool, giving the operator significant operational flexibility after initial access is established.

Initial access relies on exploitation of five publicly disclosed vulnerabilities, all carrying CVSS scores above 8.8, targeting JavaScript web frameworks and WordPress infrastructure components that are common across small and medium enterprise cloud deployments. The heterogeneous vulnerability set—spanning both modern JavaScript framework flaws and decades-old WordPress plugin vulnerabilities—enables the scanning engine to maximize attack surface coverage without requiring operator targeting decisions [1].

Source: SentinelOne [1]. CVSS scores subject to NVD adjustment.

Target identification uses a particularly efficient scanning technique. Rather than running a conventional internet scanner that generates high-volume probe traffic detectable by perimeter monitoring, PCPJack downloads pre-built hostname datasets from Common Crawl’s public parquet file repository—a dataset containing indexed records of hundreds of millions of web-facing hosts [1][2]. By filtering these records against attributes associated with vulnerable targets, the framework identifies candidate hosts at scale without producing the characteristic scanning signatures that network detection tools are tuned to flag.

Once a foothold is established, lateral movement exploits the cloud-specific trust relationships that developers commonly rely on: Docker socket access, Kubernetes API endpoints, Redis cron injection, MongoDB targeting, RayML job submission interfaces, and SSH key spraying across hosts reachable from the compromised node [1]. These paths mirror the attack surface identified in prior cloud threat research precisely because they reflect genuine architectural patterns in enterprise cloud environments—they are not exotic weaknesses but the ordinary connectivity fabric of cloud-native applications, turned against their operators.

Credential Harvesting at Scale

PCPJack’s credential harvesting module sweeps a compromised host for secrets across more than 30 service categories, reflecting the diversity of credentials that modern cloud-hosted Linux servers accumulate through ordinary operations [1]. Environment variables, SSH private keys, AWS Instance Metadata Service credentials, Kubernetes service account tokens, Docker registry credentials, and application-level secrets embedded in configuration files all fall within scope. Beyond infrastructure credentials, the harvester targets developer productivity platforms—GitHub, Slack, Discord—and financial services including Stripe keys and Binance account data.

Particularly notable is the explicit targeting of AI service API keys. PCPJack harvests credentials for OpenAI and Anthropic alongside DigitalOcean tokens and HashiCorp Vault secrets [1][2]. The presence of large language model API credentials in a cloud-focused stealer reflects the extent to which AI platform access has entered the same threat economy as cloud compute credentials. An Anthropic or OpenAI API key captured from a developer environment or CI/CD pipeline can be monetized through credential markets or resold to services offering access to AI models, and it may retain value for an extended period without triggering detection by the legitimate owner, particularly where usage anomaly monitoring is not in place.

Exfiltration uses a dual-channel Telegram architecture. Stolen credential data is encrypted with X25519 Elliptic Curve Diffie-Hellman key exchange and ChaCha20-Poly1305 authenticated encryption, then chunked into 2,800-byte segments for transmission to the exfiltration channel [1][2]. A separate channel accepts operator directives including RUN commands for module execution and PARQUET commands to override the target identification dataset. Secondary command-and-control connectivity runs through an HTTPS domain—cdn[.]cloudfront-js[.]com—that typosquats the legitimate AWS CloudFront CDN domain pattern to blend with expected enterprise egress traffic [1]. The combination of encrypted Telegram exfiltration, CDN-mimic C2, and credential chunking reflects an operational security posture designed to evade both content inspection and behavioral anomaly detection.

Building 230-Server SMTP Relay Infrastructure

The credential theft campaign provides initial access, but hunt.io’s investigation reveals that PCPJack operators pursued a secondary and operationally distinct objective: constructing a large-scale covert email relay network using compromised cloud servers as durable infrastructure [3][5]. This second-order use of compromised enterprise hosts transforms each victim from a credential-harvesting target into an operational asset with long-term utility for downstream phishing and email abuse campaigns.

The relay network was assembled through three iterative deployment phases, scaling from initial 50-node test batches to a final 230-node deployment executed in March 2026 [3]. Each compromised host received a Chisel proxy binary—using unmodified public builds from the jpillora/chisel repository compiled for AMD64, ARM64, and x86 architectures to maintain compatibility across the varied hardware profiles of AWS, Google Cloud, and Azure instances—alongside a Sliver C2 implant stored at /var/tmp/.xs [3]. The choice of /var/tmp over /tmp as the binary delivery location is deliberate: /var/tmp survives reboots and is typically mounted without the noexec mount flag that would prevent binary execution from /tmp on hardened Linux configurations.

Persistence was established through one of two mechanisms depending on privilege level: a systemd service named xsync that mimicked a legitimate system synchronization utility for root-level compromises, or a five-minute cron watchdog that relaunched the Chisel client for unprivileged sessions [3]. Each node’s SOCKS5 proxy port was derived deterministically from an MD5 hash of its Sliver implant UUID and mapped into the port range 10000–14999, eliminating the need for any shared port registry and making the network topology self-organizing without requiring centralized coordination for port assignment [3].

The primary command-and-control server at 213.136.80[.]73 (Contabo, France) coordinated deployment and maintained operational state files that hunt.io researchers recovered from an exposed staging directory [3]. A downstream aggregation server at 38.242.204[.]245 received verified proxy lists via SCP every five minutes, maintaining a continuously refreshed pool of confirmed relay nodes. A dedicated Python script, chisel_verifier.py, confirmed SMTP relay capability through a complete EHLO greeting and STARTTLS handshake against smtp.gmail.com:587 before promoting any node to the active relay pool, then enriched each verified proxy record with exit IP geolocation and ASN data from third-party lookup services [3]. Only servers that passed this full protocol validation entered the operational relay network.

The resulting infrastructure—230 enterprise cloud servers spanning three major cloud providers across North America, Europe, and Asia—provides precisely the kind of email origination capability that enables bulk phishing, business email compromise, and spam campaigns to evade reputation-based filtering. Email originating from AWS, Google Cloud, and Azure IP ranges may carry reputational advantages over purpose-built spam infrastructure, particularly where the originating IP has an established history of legitimate enterprise email traffic—a characteristic that makes cloud-hosted relay nodes more effective at evading reputation-based filtering than dedicated hosting. Building that reputation into an attacker-controlled SMTP network—at no direct infrastructure cost, using hijacked enterprise compute—provides substantial advantages for downstream email-based attack campaigns that purpose-built dedicated hosting cannot match.

Competitive Displacement: Evicting TeamPCP

Competitive displacement behavior—actively identifying and removing a specific rival group’s tooling—is unusual in cloud-targeting malware and distinguishes PCPJack from most documented credential theft campaigns [1]: the framework monitors compromised hosts for artifacts associated with TeamPCP—a rival criminal group that operated PCPCat against similar cloud infrastructure beginning in December 2025—and terminates and removes those artifacts before installing its own tooling [1][6]. The framework tracks a metric labeled “PCP replaced” in the exfiltration data, giving the operator dashboard-level visibility into the success rate of competitive displacement [1].

SentinelOne analysts offer two plausible explanations. The first is a competing group that obtained detailed knowledge of TeamPCP’s naming conventions and tooling through shared samples or intelligence. The second hypothesis, which the analysts describe as suggested by the operation’s “direct focus on the threat actor’s activities,” is that PCPJack represents a former TeamPCP operator who departed and is now competing for the same cloud infrastructure footprint using insider knowledge of the group’s methods [1]. The February 2026 Aqua Trivy supply chain incident that SentinelOne connects to the same threat actor cluster indicates an operation with a history extending months before the April 2026 VirusTotal discovery [1].

The competitive displacement behavior carries a practical detection implication for defenders. An organization that observes a PCPJack infection on a host it believed was clean may have had a prior TeamPCP compromise that PCPJack removed before any internal detection occurred. The apparent absence of prior malware history on a newly discovered PCPJack-infected host is therefore not reliable evidence that the host was uncompromised before PCPJack’s arrival.

Recommendations

Immediate Actions

Organizations running web applications on cloud-hosted Linux infrastructure should verify that all five CVEs exploited by PCPJack have been remediated across their environment. CVE-2026-1357 (unauthenticated null-key file upload, CVSS 9.8) and CVE-2025-55182 (server-action deserialization RCE, CVSS 9.0) both enable remote code execution against services typically exposed to the internet by design; verify the pre-authentication status of CVE-2025-55182 against the NVD entry when making patch prioritization decisions, as the SentinelOne source characterizes the vulnerability class but does not explicitly confirm pre-authentication exploitation. Any system running WPVivid Backup prior to version 0.9.123, W3 Total Cache prior to 2.8.13, or CentOS Web Panel prior to 0.9.8.1205 should be updated and audited for compromise indicators including the working directories /var/lib/.spm/ and /tmp/.origin, binary paths /var/tmp/.xs and /var/tmp/apt-daily-upgrade, and the systemd service identifier xsync.

Incident responders should also review Telegram egress patterns from cloud environments, looking for traffic consistent with chunked 2,800-byte payloads to Telegram API endpoints. The HTTPS callback domain cloudfront-js[.]com is not a legitimate AWS domain; it should be blocked at perimeter egress controls and investigated if found in DNS or proxy logs. Connections to 213.136.80[.]73 or 38.242.204[.]245 are indicators of potential PCPJack C2 activity.

Short-Term Mitigations

PCPJack’s use of Common Crawl datasets to identify targets means that organizations do not need to attract attention through unusual configuration errors to appear in the threat actor’s target queue—simply hosting a web application on a cloud server is sufficient for inclusion in the indexed dataset. This shifts the mitigation emphasis toward hardening the attack surface that the worm’s exploit modules probe rather than obscurity. Services including Docker, Redis, MongoDB, and Kubernetes API endpoints should not be reachable from the internet without authentication; these are the services PCPJack exploits for lateral movement after initial foothold establishment, and their external exposure dramatically extends the worm’s propagation reach beyond the initially compromised host.

Cloud credential management practices should be audited with the PCPJack target list as a reference. API keys and access tokens for OpenAI, Anthropic, AWS, GitHub, Slack, HashiCorp Vault, Stripe, and DigitalOcean stored in environment variables or plaintext configuration files on internet-facing hosts represent concentrated exposure. Runtime secret injection through a dedicated secrets manager—rather than environment-variable or file-based credential delivery—reduces the value of any individual host compromise and limits the blast radius when one occurs. AWS customers should verify that EC2 fleets enforce IMDSv2, which requires a session token for IMDS requests and mitigates credential theft through server-side request forgery vulnerabilities in addition to the direct host access that PCPJack establishes.

Strategic Considerations

The SMTP relay network that PCPJack assembled illustrates a threat model that security programs should incorporate explicitly: compromised cloud infrastructure is not solely a resource theft problem localized to the victim. The 230-server relay network represents durable attack capability built on enterprise IP reputation that is likely intended to conduct downstream attacks against organizations that had no direct relationship with PCPJack’s original victims—though hunt.io’s research documents the network’s construction and verification protocol without confirming that downstream phishing or email abuse campaigns have yet been conducted using it. Cloud compromise propagates consequences through the email trust infrastructure that recipients and spam filters rely on, affecting parties far removed from the initial breach.

Organizations operating cloud environments should include Chisel proxy process detection in their host-based monitoring. Processes with command lines matching the pattern chisel client http://[IP]:[PORT] R:0.0.0.0:[PORT]:socks, binaries stored in /var/tmp as dotfiles, and SOCKS5 proxy ports in the 10000–14999 range that were not explicitly provisioned are indicators of potential PCPJack relay node enrollment. Network-level monitoring for unexpected outbound SMTP handshake traffic—particularly STARTTLS negotiation toward smtp.gmail.com:587 originating from hosts that have no legitimate mail delivery function—provides an additional detection signal consistent with the chisel_verifier.py behavior documented by hunt.io.

CSA Resource Alignment

PCPJack’s attack chain maps across multiple layers of CSA’s published cloud and AI security frameworks. The Cloud Controls Matrix (CCM) is most directly applicable at the vulnerability management layer: the five CVEs in PCPJack’s exploit toolkit are all publicly disclosed, all carry CVSS scores above 8.8, and all have available patches. CCM control families covering Infrastructure and Virtualization Security (IVS) and Identity and Access Management (IAM) address both the patch management practices that close PCPJack’s initial access vectors and the privilege restrictions that limit lateral movement once a foothold is established. The Cryptography, Encryption, and Key Management (CEK) control family directly addresses the environment-variable and plaintext-configuration credential storage patterns that PCPJack systematically harvests.

The STAR (Security, Trust, Assurance, and Risk) program provides a structured mechanism through which organizations can evaluate cloud provider security posture against the CCM controls most relevant to worm-propagating threats. Cloud customers relying on STAR attestations should verify that provider assessments cover workload isolation, network egress monitoring, and secret management practices relevant to the PCPJack attack pattern.

CSA’s Zero Trust guidance is directly applicable to the lateral movement phase of PCPJack’s attack chain. The worm’s progression from an initial web application compromise through Docker socket exploitation, Kubernetes API abuse, and SSH key spraying reflects the failure mode that Zero Trust architecture is specifically designed to prevent—implicit trust between services that share network access. Organizations that enforce explicit mutual authentication for every service-to-service call, including internal calls between Docker hosts, Kubernetes clusters, and Redis instances, limit PCPJack’s ability to move beyond the initially compromised host regardless of whether that host was patched against the initial access CVEs.

For organizations deploying AI workloads on cloud infrastructure, the CSA AI Controls Matrix (AICM) addresses access control and credential lifecycle management for AI API integrations. PCPJack’s explicit targeting of OpenAI and Anthropic API keys signals that AI service credentials should receive the same lifecycle management treatment as infrastructure credentials: rotation on a defined schedule, scoping to least privilege, and storage through a secrets manager rather than environment variables in application configuration.

References

[1] SentinelOne. “PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale.” SentinelOne Labs, May 7, 2026.

[2] BleepingComputer. “New PCPJack worm steals credentials, cleans TeamPCP infections.” BleepingComputer, May 7, 2026.

[3] hunt.io. “PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network.” hunt.io Research Blog, June 3, 2026.

[4] The Hacker News. “PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems.” The Hacker News, May 7, 2026.

[5] The Hacker News. “PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network.” The Hacker News, June 5, 2026.

[6] SecurityWeek. “‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials.” SecurityWeek, May 8, 2026.