A recent wave of cyberattacks, extensively analyzed by Wiz Research, is exploiting a multitude of vulnerabilities and security misconfigurations across cloud environments to deploy sophisticated cryptocurrency mining malware.
This active campaign dubbed Soco404 leverages fake 404 error pages to obfuscate and deliver malicious payloads tailored for both Linux and Windows platforms, marking a new evolution in opportunistic cryptojacking threats.
PostgreSQL in the Crosshairs
Unlike prior variants of similar campaigns targeting weak credentials in Apache Tomcat, Atlassian Confluence, and Apache Struts, Soco404 introduces the exploitation of misconfigured PostgreSQL databases as a novel initial access vector.
According to Wiz, nearly 90% of cloud environments deploy self-hosted PostgreSQL instances, and alarmingly, a third of these are exposed to the public internet making them a lucrative target for attackers seeking unguarded entry points.
The campaign employs automated scanning techniques to identify accessible database services, specifically abusing PostgreSQL’s “COPY … FROM PROGRAM” command to achieve remote code execution.
Once inside, the attacker’s payloads are retrieved using utilities native to each operating system such as curl, wget, certutil, and PowerShell demonstrating a flexible, multi-pronged approach that maximizes the campaign’s impact.
Payload Evolution
After exploiting a service, the initial Linux foothold comes via an in-memory shell script, soco.sh, which orchestrates a series of evasive tactics: downloading an obfuscated secondary payload from a compromised Apache Tomcat server, eradicating competing miners, scrubbing forensic logs, and aggressively masking malicious activity as legitimate system processes like sd-pam or [kworker/R-rcu_p].
Persistence is secured through cron jobs and shell initialization files (.bashrc, .profile), ensuring the malware can survive reboots and escalate resource use for mining efficiency.
Similarly, on Windows systems, the infection chain pivots to “ok.exe”, arriving via certutil, PowerShell, or curl.
The loader establishes service-based persistence and disables event logging, while injecting its main payload into conhost.exe and leveraging the WinRing0.sys driver to accelerate mining operations.
A unique facet of Soco404 is its use of legitimate, but compromised cloud infrastructure including Google Sites and trusted brands to host malware-laden, base64-encoded payloads camouflaged within fake HTML error pages.
This not only evades detection but also blurs attribution, as some host servers belong to reputable sites, such as a Korean transportation portal.
Beyond cryptomining, analysis indicates Soco404 is part of an expansive criminal crypto-scam ecosystem.
Several associated domains mimic legitimate trading platforms, presumably to facilitate both technical exploits and social engineering.
Dynamic mining pool usage and evidence of active wallet addresses suggest the campaign is ongoing and adapting.
Wiz recommends stringent cloud security hygiene closing unnecessary exposure, monitoring for suspicious process behavior, and using integrated runtime detection tools.
The indicators of compromise (IoCs) compiled by Wiz encompassing hashes, wallet addresses, and malicious domains offer critical intelligence for defenders seeking to identify and disrupt Soco404 activities.
Indicators of Compromise (IoCs)
| Indicator | Description |
|---|---|
| c9bb137d56fab7d52b3dbc85ae754b79d861a118bfb99566faaa342c978285ff | SHA-256 soco.sh |
| 9055bcd42263d83943358f76b13cdf24079ef9db8a2167658089be5324279485 | SHA-256 ldr.sh |
| e7fe0a5c6c198be8941d5a1be7c0669688c45751e9bf0d16a0ae6ae1d0e7a957 | SHA-256 ELF malware |
| 498ecdfce65d739154b39703c63c8f4334066655e1cc8024c2716e280598cacc | SHA-256 ok.exe Windows malware |
| 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 | SHA-256 WinRing0.sys |
| https[:]//sites[.]google[.]com/view/2025soco/ | Payload hosting site |
| www[.]fastsoco[.]top | Payload hosting site |
| seeyoume[.]top | Payload hosting / crypto scam |
| diamondcapitalcrypro[.]com | Crypto scam domain |
| auto.c3pool.org | Mining pool |
| 8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ | Attacker’s crypto wallet address |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Lazarus Group Enhances Malware with New OtterCookie Payload Delivery Technique")
