threat actors Archives

Tech Optimizer

April 2, 2025

Over 1,500 PostgreSQL Servers Hit by Fileless Malware Attack

A malware campaign has compromised over 1,500 PostgreSQL servers using fileless techniques to deploy cryptomining payloads. The attack, linked to the threat actor group JINX-0126, exploits publicly exposed PostgreSQL instances with weak or default credentials. The attackers utilize advanced evasion tactics, including unique hashes for binaries and fileless execution of the miner payload, making detection difficult. They exploit PostgreSQL’s COPY ... FROM PROGRAM function to execute malicious payloads and perform system discovery commands. The malware includes a binary named “postmaster,” which mimics legitimate processes, and a secondary binary named “cpu_hu” for cryptomining operations. Nearly 90% of cloud environments host PostgreSQL databases, with about one-third being publicly exposed, providing easy entry points for attackers. Each wallet associated with the campaign had around 550 active mining workers, indicating the extensive scale of the attack. Organizations are advised to implement strong security configurations to protect their PostgreSQL instances.

Tech Optimizer

April 2, 2025

Thousands of PostgreSQL servers are being hijacked to mine crypto

Researchers at Wiz have identified a cryptojacking campaign by a group called JINX-0126, targeting over 1,500 misconfigured PostgreSQL servers by exploiting weak login credentials. The attackers deploy the XMRig-C3 miner to mine Monero, consuming nearly all computing resources and increasing electricity usage for victims. Each compromised device is assigned a unique mining worker for tracking. The campaign has evolved to include defensive measures and fileless deployment to evade detection. Nearly 90% of cloud environments host PostgreSQL instances, with about one-third publicly accessible, highlighting security vulnerabilities.

Tech Optimizer

March 31, 2025

Fileless XMRig-C3 Cryptominer Targets PostgreSQL Servers

Wiz Threat Research has reported a new variant of a malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers, attributed to the threat actor JINX-0126. This actor exploits vulnerable PostgreSQL instances with weak login credentials to gain unauthorized access and deploy XMRig-C3 cryptominers. The campaign has evolved to include advanced evasion techniques, such as using unique hashes for binaries and executing payloads in a fileless manner to avoid detection. The analysis indicates that the threat actor assigns unique mining workers to each victim, with three distinct wallets identified, suggesting over 1,500 affected victims. Nearly 90% of cloud environments host PostgreSQL instances, with about one-third publicly exposed. The threat actor scans for poorly configured services, exploiting default weak credentials to gain access and execute malicious payloads. Upon successful login, the actor performs reconnaissance and executes a dropper script to deploy an obfuscated Golang binary, which contains an encrypted configuration with critical system information. The malware establishes persistence by creating cron jobs and modifying access controls. The actor also creates high-privilege roles for continued access and weakens the default admin user. The analysis identified three wallets associated with the campaign, with each wallet having around 550 workers. The Wiz Dynamic Scanner can identify exposed PostgreSQL services, while the Wiz Runtime Sensor detects malicious activities associated with this threat. The report includes specific wallet addresses, a file hosting service, and file hashes related to the malware. Techniques used by the malware align with various MITRE ATT&CK® techniques, including credential access, defense evasion, and resource hijacking.

AppWizard

March 28, 2025

Hackers target Taiwan with malware delivered via fake messaging apps

Recent research from cybersecurity firm Sophos has identified the use of PJobRAT malware targeting users in Taiwan through instant messaging applications SangaalLite and CChat, which mimic legitimate platforms. These malicious apps were available for download on various WordPress sites, now taken offline. PJobRAT, an Android remote access trojan first identified in 2019, has been used to steal SMS messages, contacts, device information, documents, and media files. The recent cyber-espionage initiative lasted nearly two years, affecting a limited number of users, indicating a targeted approach by the attackers. The latest version of PJobRAT lacks the ability to steal WhatsApp messages but allows attackers greater control over infected devices. The distribution method for these apps remains unclear, but previous campaigns involved third-party app stores and phishing pages. Upon installation, the apps request extensive permissions and provide basic chat functionalities. Sophos researchers note that threat actors often refine their strategies after campaigns, suggesting ongoing risks.

AppWizard

March 28, 2025

PJobRAT Android Malware Masquerades as Dating and Messaging Apps to Target Military Personnel

PJobRAT is an Android Remote Access Trojan that re-emerged in 2023, targeting users in Taiwan. Initially known for targeting Indian military personnel, it now disguises itself as benign apps like ‘SangaalLite’ and ‘CChat’, distributed via defunct WordPress sites operational from January 2023 to October 2024, with domain registrations dating back to April 2022. The malware is spread through counterfeit applications resembling legitimate messaging services, prompting users to grant extensive permissions. Enhanced capabilities allow it to execute shell commands, access data from any app, root devices, and communicate with command-and-control servers via Firebase Cloud Messaging and HTTP. The campaign appears to have concluded, highlighting the evolving tactics of threat actors. Users are advised against installing apps from untrusted sources and to use mobile threat detection software.

AppWizard

March 28, 2025

PJobRAT makes a comeback, takes another crack at chat apps

In 2021, PJobRAT, an Android Remote Access Trojan (RAT), targeted Indian military personnel through deceptive apps. A new campaign was discovered in 2023, focusing on users in Taiwan, with malicious apps like ‘SangaalLite’ and CChat disguised as instant messaging applications. These apps were available for download from WordPress sites, which have since been taken down. The campaign began in January 2023, with domains registered as early as April 2022, and the latest sample detected in October 2024. The number of infections was low, indicating a targeted approach rather than a broad attack. The distribution methods remain unclear, but may involve SEO poisoning, malvertising, or phishing. Once installed, the apps request extensive permissions and feature basic chat functionality. Recent versions of PJobRAT have shifted from stealing WhatsApp messages to executing shell commands, allowing greater control over compromised devices. PJobRAT communicates with its command-and-control (C2) servers using Firebase Cloud Messaging (FCM) and HTTP, enabling the upload of various data types, including SMS, contacts, and files. The now inactive C2 server was located in Germany.

Winsage

March 26, 2025

Auth bypass CVE-2025-22230 impacts VMware Windows Tools

Broadcom has addressed a critical authentication bypass vulnerability, CVE-2025-22230, affecting VMware Tools for Windows, rated with a CVSS score of 9.8. This vulnerability allows low-privileged local attackers to escalate their privileges within vulnerable VMs, potentially leading to unauthorized access. It affects VMware Tools versions 12.x.x and 11.x.x across Windows, Linux, and macOS platforms. VMware Tools version 12.5.1 has been released to fix this issue. Additionally, Broadcom issued updates for three zero-day vulnerabilities in VMware ESX products (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), which were confirmed to be actively exploited and represent a "VM Escape" scenario.

Winsage

March 26, 2025

Update VMware Tools for Windows NOW: High-Severity Flaw Lets Hackers Bypass Authentication

Broadcom has advised users of VMware Tools for Windows to update to the latest version due to a high-severity vulnerability (CVE-2025-22230) that is being exploited by cybercriminals. This vulnerability affects versions 11.x.x and 12.x.x and is classified as an "authentication bypass vulnerability," allowing a malicious actor with non-administrative privileges on a Windows guest to perform high-privilege operations within that VM. The flaw stems from inadequate access control mechanisms. The vulnerability has a CVSS score of 7.8 and does not require user interaction for exploitation. It was discovered by Sergey Bliznyuk of Positive Technologies. Broadcom has patched the vulnerability in version 12.5.1, and users are urged to update immediately, as no workarounds are available.

Winsage

March 26, 2025

Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code

Russian threat actors are exploiting a zero-day vulnerability in the Microsoft Management Console (MMC), identified as CVE-2025-26633, allowing them to bypass security features and execute harmful code. The hacking group Water Gamayun, also known as EncryptHub and Larva-208, is behind this campaign, using a weaponized version of the vulnerability called “MSC EvilTwin” to deploy various malicious payloads, including information stealers and backdoors. The vulnerability affects multiple Windows versions, particularly older systems like Windows Server 2016. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch affected systems by April 1, 2025. Microsoft included this vulnerability in its March 2025 Patch Tuesday update. Recommended mitigations include applying security patches, restricting network access to MMC ports, and monitoring for unusual MMC activity.

Tech Optimizer

March 21, 2025

Cybercriminals Exploit CheckPoint Driver Flaws in Malicious Campaign

A report by Nima Bagheri reveals that CheckPoint’s ZoneAlarm antivirus software is being exploited by threat actors using a method called Bring Your Own Vulnerable Driver (BYOVD). This attack targets vulnerabilities in the vsdatant.sys driver, which operates with high-level kernel privileges, allowing attackers to bypass Windows security measures. Specifically, version 14.1.32.0 of vsdatant.sys, released in 2016, contains vulnerabilities that enable attackers to circumvent the Windows Memory Integrity feature, gaining access to sensitive information and establishing persistent connections to compromised systems. Bagheri advises users to update to the latest version of vsdatant.sys, which is not vulnerable. CheckPoint confirmed that the outdated driver is no longer in use and that users running the latest versions of ZoneAlarm or Harmony Endpoint are not affected.