Soco404: New Stealthy Cryptojacking Campaign Exploits Cloud Misconfigurations and PostgreSQL to Mine Crypto
Ddos 
Image: Wiz Research
Wiz Research has uncovered a persistent and evolving cryptojacking operation known as “Soco404,” a campaign that exploits cloud misconfigurations and vulnerabilities to mine cryptocurrency across Linux and Windows environments. The attackers use advanced stealth techniques, fake 404 error pages, and compromised infrastructure to distribute malware while leaving minimal forensic traces.
Unlike earlier activity observed by Aqua and Imperva that targeted weak Apache Tomcat and Atlassian Confluence setups, the Soco404 variant detailed by Wiz expands its attack surface to include misconfigured PostgreSQL instances. This marks a strategic shift toward a more opportunistic, multi-vector approach.
“Our investigation uncovered a distinct case in which the attacker also targets exposed PostgreSQL instances and leverages compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments,” the report states.
The operation includes three infrastructure clusters:
- Fake 404 Domains – Sites that embed payloads directly into HTML responses.
- Crypto-Scam Websites – Fraudulent trading platforms for social engineering.
- Compromised Infrastructure – Trusted servers hijacked to deliver malware.
PostgreSQL has emerged as a favored entry point. Wiz notes that nearly 90% of cloud environments self-host PostgreSQL, and one-third of those expose at least one instance publicly—making them prime targets.
“Upon gaining access, attackers abuse PostgreSQL’s COPY … FROM PROGRAM functionality to achieve remote code execution, enabling them to retrieve and execute malicious payloads directly on the host,” the report explains.
Attackers deploy the soco.sh script directly in memory using utilities like curl or wget. This script downloads a binary (app2), runs it briefly, deletes it to erase evidence, and cleans logs including /var/log/secure and /var/log/cron.
The Linux payload (delivered as app2) is a UPX-packed Go binary obfuscated with Garble. It disguises itself as sd-pam or kworker/R-rcu_p, processes normally associated with systemd or the kernel.
“One of these processes is responsible for re-executing the binary under the name (sd-pam), in an attempt to masquerade as the legitimate systemd user service,” the report writes.
The malware embeds persistence mechanisms using cron jobs and shell initialization files like .bashrc, and establishes socket-based communication between child processes.
It connects to the attacker’s C2 server via a fake 404 page at:
https://www.fastsoco.top/1
“The actual binary is embedded within the HTML content as a base64-encoded blob.”
Persistence is achieved by creating a Windows service with a randomly generated name, while logs are wiped using:
sc.exe stop eventlog
To cover its tracks, the malware executes a delayed self-delete:
cmd.exe /c choice /C Y /N /D Y /T 3 & Del “C:\Users\Public\os.exe”
It then injects its payload into conhost.exe, spawns multiple threads, and begins mining via pools like c3pool and moneroocean.
Wiz researchers traced a payload back to a fake cryptocurrency exchange website, seeyoume[.]top, masquerading as an affiliate of the Hong Kong Stock Exchange.
“We received a fake 404 error page that embedded the same shell script seen in the previously documented instances of the campaign,” the report confirms.
Further domain analysis revealed ties to a broader scam ecosystem including:
- diamondcapitalcrypro[.]com
- hkcapitals[.]com
- nordicicoins[.]com
These sites shared nearly identical templates and functions—supporting the hypothesis of a coordinated crypto-scam network.
Related Posts:
- PostgreSQL Releases Security Update Addressing Multiple Vulnerabilities
- New Phishing Campaign Targets AWS Accounts: Security Experts Warn
- Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters
- Hackers use Youtube server ads hijack the computer to dig Monero
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
