PG_MEM: A Malware Hidden in the Postgres Processes

Aqua Nautilus researchers describe PG_MEM, a campaign that brute-forces internet-exposed PostgreSQL servers to create superuser roles, execute shell commands via COPY ... FROM PROGRAM, and deploy multiple packed ELF binaries (pg_core, pg_mem, memory) that install an XMRig cryptominer and establish persistence (cron) while removing competing malware and artifacts; the report provides observed IOCs (IP 128.199.77.96, MD5 hashes), attack flow, detection guidance, and MITRE ATT&CK mappings.