Key Findings Threat actor PCPJack compromised 230 cloud servers across AWS, Google Cloud, and Microsoft Azure and converted them into covert SMTP relay proxies Complete toolkit, source code, and live command-and-control configuration were accidentally exposed in an unauthenticated directory on a C2 server The operation used Sliver C2 framework combined with Chisel tunneling to create a self-healing, monitored email relay network that synced verified proxies every five minutes