A botnet which is codenamed as PgMiner, is found brute forcing internet-accessible PostgreSQL databases on Linux servers. It begins with scanning phase, scanning a randomly picked public network and searching for Port 5432 for PostgreSQL that is exposed on the system. Once it finds active PostgreSQL system, it will start brute force phase by attempting default user as “postgres” and use a long list of passwords to brute force. The default user of PostgreSQL has no password for authentication. If PostgreSQL database owners have forgotten to disable this user or have forgotten to change its passwords, the hackers access the database and use the PostgreSQL COPY from PROGRAM feature to escalate their access from the database app to the underlying server and take over the entire OS. Once they have a more solid hold on the infected system, the PgMiner crew deploys a coin-mining application and attempt to mine as much Monero cryptocurrency as possible before they get detected.