Weak passwords cost 1,500 PostgreSQL servers their security
In an ongoing malicious campaign, more than 1,500 PostgreSQL servers have been compromised and used for covert cryptocurrency mining. Researchers at Wiz reported that the attackers operate without writing files to disk — a tactic that makes the attack especially hard to detect. The campaign is linked to a threat group identified as JINX-0126 and is based on a previously discovered malware tool called PG_MEM, first described by Aqua Security in August 2024.
Unlike previous attacks, this wave employs a more sophisticated strategy to bypass security defenses. Malicious binary files are generated with a unique hash for each target, and the miner itself is loaded without ever creating files on disk. This approach allows attackers to evade detection systems that rely on scanning for known file signatures.
The primary targets are publicly exposed PostgreSQL instances with weak or predictable passwords. According to Wiz, there are enough such systems to make them a viable mass target. Over 1,500 servers have been confirmed compromised, highlighting the scale of the operation.
A standout feature of this campaign is the use of the SQL command COPY ... FROM PROGRAM, which allows arbitrary shell commands to be executed directly from the database server. This access is used for reconnaissance and malware deployment. One of the initial steps involves downloading an encrypted shell script that eliminates competing miners and installs a binary named PG_CORE.
The attackers also upload a disguised Go-based binary named postmaster to the server. It mimics the legitimate PostgreSQL server process, helping maintain persistence through the creation of cron jobs, privilege escalation via new user accounts, and the installation of another file called cpu_hu.
cpu_hu is responsible for fetching the latest version of XMRig — a popular cryptocurrency mining tool. The campaign uses a fileless execution method on Linux via the memfd mechanism, keeping the executable in memory without writing it to disk, thus reducing the chance of detection.
Each infected machine is assigned a unique identifier. Wallet analysis linked to the campaign revealed around 550 active miners per wallet across three addresses, confirming the participation of at least 1,500 machines in this campaign.
Key elements of the attack include exploitation of misconfigured PostgreSQL instances, aggressive use of evasion techniques, and a complete lack of file system traces. This combination makes the campaign particularly effective and resistant to detection.
