{
	"id": "98c55015-d667-4bbf-b1e9-1e96799fe8fc",
	"created_at": "2026-04-06T00:21:12.904265Z",
	"updated_at": "2026-04-10T13:12:14.308839Z",
	"deleted_at": null,
	"sha1_hash": "1e584a46f202634dc324d01333acb23c04840c9d",
	"title": "CPU_HU: Fileless cryptominer targeting exposed PostgreSQL with over 1.5K victims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 84698,
	"plain_text": "CPU_HU: Fileless cryptominer targeting exposed PostgreSQL with over\r\n1.5K victims\r\nBy Avigayil Mechtinger, Yaara Shriki, Gili Tikochinski\r\nPublished: 2025-03-31 · Archived: 2026-04-05 14:16:54 UTC\r\nWiz Threat Research identified a new variant of an ongoing malicious campaign targeting misconfigured and publicly\r\nexposed PostgreSQL servers. In the observed attack, the threat actor (tracked by Wiz as JINX-0126) abuses exposed\r\nPostgreSQL instances, configured with weak and guessable login credentials, to gain access and to deploy XMRig-C3\r\ncryptominers. This campaign was first documented by Aqua Security, but the threat actor has since evolved, implementing\r\ndefense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload\r\nfilelessly—likely to evade detection by CWPP solutions that rely solely on file hash reputation.\r\nBased on our analysis, the threat actor is assigning a unique mining worker to each victim. During our research, we\r\nidentified three different wallets linked to the threat actor (see IOC section below). By analyzing C3Pool statistics for each\r\nwallet, we can conclude that this campaign likely impacted over 1,500 victims. This suggests that misconfigured\r\nPostgreSQL instances are highly common, providing a low hanging fruit entry point for opportunistic threat actors to\r\nexploit. Furthermore, our data shows that nearly 90% of cloud environments self-host PostgreSQL instances, of which a\r\nthird have at least one instance that is publicly exposed to the internet. \r\nWe have identified this activity targeting our customers’ cloud environments as well as our honeypot environment. In the\r\nfollowing analysis we will provide technical information about a sample sourced from our honeypot.   \r\nTechnical Analysis \r\nThreat actors are actively scanning the network for weakly configured services [T1110.003], with PostgreSQL being a\r\nfrequent target due to the usage of default weak credentials that expose it to unauthorized access that can lead to remote code\r\nexecution [T1190]. Once authenticated, they abuse the COPY ... FROM PROGRAM function, allowing them to drop and run\r\nmalicious payloads [T1059.004]. \r\nUpon successful login, the threat actor conducts basic discovery with commands such as whoami and uname [T1082] and\r\nchecks if pg_core exists on the workload. Next the threat actor runs the first dropper script [T1071.001] [T1105],\r\ndelivered via base 64 decoded string: \r\nThe script first kills other cryptominers if they exist on the resource and drops the pg_core binary. Next, pg_core is executed\r\non the resource and deleted [T1070.004]. \r\nThe attacker downloads a binary named postmaster, as an attempt to mimic the legitimate postmaster process, which is the\r\nPostgreSQL multiuser database server [T1036.005]. \r\npostmaster is an obfuscated golang binary, packed with modified UPX [T1027.002]. The threat actor executes a command\r\nto append an encrypted configuration to the postmaster binary [T1027.001].  \r\nThis configuration is encrypted using a hardcoded AES key: \r\n7C6643CC24859542CE37615341E7712E82B4167528688877FE7C14648909DCD5.\r\nDecrypted configuration:  \r\nThe configuration contains information about the compromised system, such as: \r\nhttps://www.wiz.io/blog/postgresql-cryptomining\r\nPage 1 of 4\n\nThe username and password that were used. \r\nThe external IP address and port of the infected server. \r\nThe name of the superuser account that was created. \r\nThe file location of pg_hb.conf .\r\nAdditionally, the configuration includes several fields related to the cryptominer that will be deployed later, including the\r\nattacker’s wallet address and the worker's name.  \r\nUpon execution, postmaster resolves its location on the disk and read the last 1024 bytes of the binary, which holds the\r\nconfiguration that was added to the binary. If the trailer does not exist or is invalid, postmaster will exit with an error. \r\nThe postmaster binary will execute itself with the command line pоstgres : replication launcher as an attempt to blend\r\nwithin the service, as one of PostrgreSQL process threads is executed with the command postgres: logical replication\r\nlauncher. To ensure persistence, postmaster will create a cronjob (T1053.003) to run itself every minute. It deletes the file\r\nssh_authorized keys it also writes to pg_hba configuration file, to prevent others from logging into the database server\r\nand allow communication from internal network.\r\nThe threat actor creates a new role with high privileges for persistence [T1136]. This allows the attacker to later log in to the\r\nsystem even if the password has been changed. \r\nCREATE ROLE psql_sys WITH LOGIN SUPERUSER PASSWORD '759686ac19adbd08b94cf53f35afdd1e';\r\n  \r\nThe attacker also attempts to weaken the user admin, which is the default user of the service [T1098]: \r\nALTER USER \"admin\" WITH NOSUPERUSER NOCREATEROLE\r\n  \r\npostmaster writes the cpu_hu binary to disk. Similar to postmaster, cpu_hu is an obfuscated Golang binary packed with\r\nmodified UPX. The base64 decoded miner configuration information is embedded at the end of the cpu_hu binary:\r\n \r\nDecoded configuration: \r\n“lle” is the wallet, “x” is the worker id and “fg” is the json configuration file name which is created under /tmp ( /tmp/... )\r\n[T1564.001]. \r\ncpu_hu downloads the latest version of https://github.com/C3Pool/xmrig-C3/, writes the configuration file to /tmp/… and\r\ninvokes the miner [T1496] filelessly via memfd file descriptor [T1620]. cpu_hu clones itself to create a child process and\r\ndeletes itself from disk [T1070.004]. \r\nSince the attacker appends unique configuration data to malware samples, the file hash of cpu_hu and postmaster varies\r\nbetween victims. \r\nVictims in the wild: \r\nIn our analysis, we gathered three different wallets. When looking in C3Pool stats, we observed that each wallet had\r\napproximately 550 workers. Combined, this suggests that the campaign could have leveraged over 1,500 compromised\r\nmachines. \r\nHow Can Wiz Help? \r\nhttps://www.wiz.io/blog/postgresql-cryptomining\r\nPage 2 of 4\n\nPrevention: \r\nThe Wiz Dynamic Scanner detects publicly exposed PostgreSQL services configured with weak or default credentials within\r\ncustomers' cloud environments. The Wiz agentless workload scanner detects containers and VMs hosting PostgreSQL and\r\nidentifies if they contain sensitive data or have access to highly privileged service accounts (which could just as easily be\r\nabused by opportunistic attackers for purposes other than cryptojacking).\r\nDetection: \r\nThe Wiz Runtime Sensor detects events and behaviors associated with this threat and similar ones, alerting you as the\r\nadversary progresses through the attack kill chain: from the exploit to the initial payload delivery and ultimately to the final\r\nfileless cryptomining activity.  \r\nHere is an example of the Wiz Runtime Sensor detecting the fileless execution of the miner used in this threat:\r\nWiz customers can use the pre-built queries and advisory in the Wiz Threat Center to search for vulnerable instances in their\r\nenvironment and detect if their environment was impacted by this threat.\r\nIOCs\r\nWallets: \r\n4A5ZWpHM6BXS8YF7xNfjXA5ctDjTC3GBwS4ESBV9X2BGVJV8vkfXBeZfXG6w2hmdkpZaogCXiqU4DYPXn3TtPRAGJBLQ\r\n47pt9WzQyugFQpSAwcGN2k8JHiMQ3fRZ3BQqmnYJtcejVq9adfiwVSWgrpmxiYTxvvWcHv5dD2iCaiBYiK4atkMSUGMXdx8 \r\n463TBt8Rn1qXWZDpTV4ydxQcZnkJNeLv6JRKjFbzFsY3MQZaxWsUgQF4QnxNAg8MGSPsiLn9faTWqRafHnhh3QBdSLTgRHA\r\nFile hosting service: \r\n159.223.123.175:36287 \r\nPool: \r\nmine.c3pool.com:13333 \r\nFile hashes (SHA1): \r\nXMRig-C3 miner: 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10 \r\npg_core: 85198288e2ff1dad718cd84876a0b0d3173a641e \r\nPostmaster prior to the trailer addition: 7ccfcacfa2a729494dece843e9c4d357f2eec780\r\nFiles on disk: \r\nMain payload: postmaster binary under /var/lib/postgresql/data/ or in another suspicious location \r\nMiner configuration file: /tmp/…\r\nMITRE ATT\u0026CK® Techniques used by CPU_HU: \r\nCommand and Control - Application Layer Protocol: Web Protocols (T1071.001) \r\nCommand and Control - Ingress Tool Transfer (T1105) \r\nCredential Access - Brute Force: Password Spraying (T1110.003) \r\nhttps://www.wiz.io/blog/postgresql-cryptomining\r\nPage 3 of 4\n\nDefense Evasion - Hide Artifacts: Hidden Files and Directories (T1564.001) \r\nDefense Evasion - Indicator Removal: File Deletion (T1070.004) \r\nDefense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005) \r\nDefense Evasion - Obfuscated Files or Information: Binary Padding (T1027.001) \r\nDefense Evasion - Obfuscated Files or Information: Software Packing (T1027.002) \r\nDefense Evasion – Reflective Code Loading (T1620) \r\nExecution - Command and Scripting Interpreter: Unix Shell (T1059.004) \r\nInitial Access - Exploit Public-Facing Application (T1190) \r\nPersistence - Account Manipulation (T1098) \r\nPersistence - Create Account (T1136) \r\nPersistence - Scheduled Task/Job: Cron (T1053.003) \r\nImpact – Resource Hijacking (T1496) \r\nDiscovery - System Information Discovery (T1082) \r\nSource: https://www.wiz.io/blog/postgresql-cryptomining\r\nhttps://www.wiz.io/blog/postgresql-cryptomining\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.wiz.io/blog/postgresql-cryptomining"
	],
	"report_names": [
		"postgresql-cryptomining"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "87ac47cd-4f4a-4075-9bac-7e7a5814e42c",
			"created_at": "2025-05-29T02:00:03.205656Z",
			"updated_at": "2026-04-10T02:00:03.861231Z",
			"deleted_at": null,
			"main_name": "JINX-0126",
			"aliases": [],
			"source_name": "MISPGALAXY:JINX-0126",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434872,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e584a46f202634dc324d01333acb23c04840c9d.pdf",
		"text": "https://archive.orkl.eu/1e584a46f202634dc324d01333acb23c04840c9d.txt",
		"img": "https://archive.orkl.eu/1e584a46f202634dc324d01333acb23c04840c9d.jpg"
	}
}