Cryptocurrency Miners Target Exposed PostgreSQL Servers in Fileless Attack Campaign

An ongoing cyber campaign is actively exploiting publicly exposed PostgreSQL instances to gain unauthorized access and deploy cryptocurrency miners, according to a new report from cloud security firm Wiz.

The threat, attributed to a threat actor dubbed JINX-0126, represents a resurgence and evolution of an earlier campaign initially reported by Aqua Security in August 2024, which used a malware strain called PG_MEM.

How the Attack Works

The attack begins by targeting PostgreSQL servers that are:

• Publicly accessible over the internet

• Configured with weak or default credentials

Once the threat actor successfully logs in, they abuse the COPY ... FROM PROGRAM SQL command, a legitimate feature that allows PostgreSQL to execute shell commands. This method allows attackers to run arbitrary commands directly on the host system, bypassing traditional security mechanisms.

Campaign Evolution and Evasion Techniques

Unlike traditional malware that relies on persistent files, this campaign makes use of fileless execution techniques, particularly in cloud environments, to avoid detection by cloud workload protection platforms (CWPPs).

Key Evasion Tactics:

• Unique binary hashes per target to bypass reputation-based security tools

• Fileless execution using the memfd_create technique, preventing malware from being written to disk

• Process name obfuscation, such as disguising binaries as PostgreSQL processes (e.g., using names like postmaster)

Malware Components and Execution Chain

Once initial access is gained, the attackers conduct system reconnaissance and deploy a Base64-encoded shell script. This script performs the following tasks:

1. Terminates competing mining processes to monopolize system resources

2. Deploys a binary named PG_CORE

3. Installs an obfuscated Golang binary named postmaster

The postmaster binary is particularly dangerous. It:

• Creates persistent access through a cron job

• Adds a new privileged PostgreSQL user role

• Writes an additional binary called cpu_hu to disk

Fileless XMRig Deployment

cpu_hu is responsible for downloading the latest version of the XMRig cryptocurrency miner from GitHub. Rather than writing the executable to disk, it uses the Linux memfd technique to run the miner entirely in memory—making it stealthy and harder to detect.

Scale and Impact of the Campaign

Wiz estimates that over 1,500 machines have been compromised so far, with each machine assigned a unique mining worker ID. The researchers traced the campaign to at least three cryptocurrency wallets, each tied to around 550 unique miners.

This level of targeting highlights the broad availability of misconfigured PostgreSQL instances and how easily opportunistic attackers can exploit them at scale.

Why This Matters

The campaign reveals a growing trend among cybercriminals to target cloud infrastructure and database services with highly evasive, fileless attacks. PostgreSQL’s legitimate feature set—particularly its ability to execute system commands—can be abused if not properly secured.

Key Takeaways for Defenders:

• Restrict external access to PostgreSQL servers unless absolutely necessary

• Enforce strong authentication and rotate default credentials

• Disable unused database features, such as COPY ... FROM PROGRAM, if not needed

• Implement monitoring and alerting for unusual database activity

• Use runtime protection and memory-based threat detection tools to catch fileless activity

Final Thoughts

This campaign serves as a powerful reminder of the risks associated with misconfigured cloud services. By abusing legitimate PostgreSQL functions and leveraging fileless malware techniques, attackers are staying ahead of traditional defenses.

Organizations must take proactive steps to secure cloud databases and adopt modern security practices that go beyond file-based detection methods.