Wiz research has observed an active campaign exploiting various vulnerabilities and misconfigurations across cloud environments to deploy cryptominers.
In the variant described in the blog, the attacker exploited misconfigurations in PostgresSQL.
The attacker targets both Linux and Windows systems, deploying platform-specific malware.
They use process masquerading to disguise malicious activity as legitimate system processes.
They achieve persistence via cron job and shell initialization files (e.g., .bashrc, .profile).
They rely on compromised legitimate servers to host and deliver malware.
The malware spawns multiple child processes that communicate via local sockets.
Payloads are embedded in fake 404 HTML pages hosted on websites built using Google Sites. Note: We reported these sites to Google, and they have since been taken down.
We estimate that this campaign is part of a broader crypto-scam infrastructure.
Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404 (based on the observed payload name, associated domain, and use of fake error pages). While previous activity tied to this campaign has been documented by Aqua and Imperva as targeting exposed Apache Tomcat services with weak credentials , as well as vulnerable Apache Struts and Atlassian Confluence servers, our investigation uncovered a distinct case in which the attacker also targets exposed PostgreSQL instances and leverages compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments. We also found evidence that the attacker is maintaining a broader crypto-scam infrastructure, further suggesting this is part of a long-term, versatile, and opportunistic operation.
The threat actor behind Soco404 has leveraged multiple types of infrastructure, which we have grouped into three distinct clusters:
Fake 404 Domains - Registered domains that display fake 404 error pages while embedding malicious payloads directly within the HTML content.
Crypto-Scam Websites - Domains used to host fraudulent cryptocurrency trading platforms, likely as part of a broader social engineering effort.
Compromised Infrastructure - Legitimate servers compromised via vulnerable Apache Tomcat instances, used to host and distribute malware payloads. Notably, the attacker has successfully compromised a legitimate Korean transportation website, demonstrating their ability to abuse trusted infrastructure for malicious purposes.
As mentioned in our previous blog post on PostgreSQL cryptojacking, our data shows that nearly 90% of cloud environments self-host PostgreSQL instances, and one-third of those have at least one instance publicly exposed to the internet. These exposed PostgreSQL servers are frequently targeted by threat actors, making them a high-risk attack surface.
In this writeup, we detail the Soco404 campaign, share IoCs, and provide insight into its ongoing activity. Based on the dynamic number of workers linked to the attacker’s crypto wallet within the mining pool, the campaign appears to still be active.
Threat actors are actively scanning for accessible services [T1110.003] that allow unauthenticated or low-effort entry points, with PostgreSQL frequently appearing in attack flows due to its prevalence and default configurations. Upon gaining access, attackers abuse PostgreSQL’s COPY ... FROM PROGRAM functionality to achieve remote code execution [T1190], enabling them to retrieve and execute malicious payloads directly on the host [T1059.004].
The attacker behind Soco404 appears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point. Their use of a wide range of ingress tools, including Linux utilities like wget and curl, as well as Windows-native tools such as certutil and PowerShell, highlights an opportunistic strategy. Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload. This flexible approach is characteristic of a broad, automated cryptomining campaign focused on maximizing reach and persistence across varied targets.
In the following sections we will detail both Linux and Windows payloads.
Upon successful exploitation the attacker runs the soco.sh script directly in memory, avoiding disk writes.
soco.sh is a dropper script that is in charge of setting the ground for the main payload. Key points:
1.Download & execute payload from http://<compromised-service>:8080/app2 [T1105]. The script generates a random filename based on the timestamp and drops it into a writable directory on disk, explicitly avoiding /tmp and /sys, likely for persistence or evasion purposes. Next, the script will run the sleep command for 2 seconds and then delete the binary from disk to minimize its footprint [T1070.004]. The server hosting the payload is a compromised [T1584.004], publicly accessible Apache Tomcat instance. Based on Aqua’s findings, it is likely that the attacker gained access via weak credentials, though exploitation of the CVE-2025-24813 vulnerability [T1190] is also a possible entry vector given the versions in use.
In the following section, we detail the behavior of the downloaded payload.
2. Eliminate potential competing miners by clearing /etc/ld.so.preload, remove suspicious cron jobs, and forcefully killing processes with separate mount namespaces.
3. Remove evidence of execution and reduce forensic visibility by overwriting logs including cron and wtmp [T1070.002]:
4. If the script is running as root, it will attempt to optimize memory performance and Maximize CPU efficiency for cryptomining.
*See full soco.sh script in Archive section below.
The binary app2 (14bf32e780601c6870811982648cf293) is a UPX [T1027.002] packed Go binary obfuscated [T1027] using Garble to hinder analysis. Its primary function is to act as a loader for the main payload.
Upon execution, the malware unpacks itself into memory and spawns multiple child processes. One of these processes is responsible for re-executing the binary under the name (sd-pam), in an attempt to masquerade [T1036.005] as the legitimate systemd user service that handles PAM (Pluggable Authentication Modules) sessions on Linux systems.
After this, it reaches out to the command-and-control (C2) server at https[:]//www[.]fastsoco[.]top, which hosts the main payload at https[:]//www[.]fastsoco[.]top/1.
This website is based on Google Sites (https[:]//sites[.]google[.]com/view/2025soco/), which, when accessed, displays a fake 404 error page [T1583.006]. The actual binary is embedded within the HTML content [T1027.006] as a base64-encoded blob, which is extracted by searching for content between the markers exe101 and exe101.
The main payload is executed with the names [cpuhp/1] and [kworker/R-rcu_p] to masquerade as kernel related processes [T1036.005].
It establishes the following persistence:
1.Crontab
A new cron job is added to run the malware every minute [T1053.003]:
2. Shell initialization files
The following command is appended to /etc/profile, .bashrc, and .profile [T1546.004]:
During execution, the malware creates multiple forked processes and drops additional copies of itself to disk using randomly generated filenames. These processes interact with each other via local socket communication [T1559], likely to coordinate functionality or monitor each other for resilience.
Once established, it begins cryptocurrency mining [T1496] by connecting to the pools c3pool and moneroocean, using the following wallet address:
The Windows initial post exploitation command is designed to download and execute a Windows binary (ok.exe) from the compromised server using multiple fallback methods to maximize the chances of successful execution. It begins by invoking certutil, a legitimate Windows utility originally intended for managing certificates, which also includes functionality for downloading files from URLs. Attackers frequently abuse certutil because it is built-in, commonly allowed by endpoint defenses, and can fetch and save remote payloads without raising immediate suspicion. If certutil fails or is blocked, the command falls back to using PowerShell’s Invoke-WebRequest, and finally to curl [T1105], each attempting to download the file to C:\Users\Public\ directory, a universally writable path, and execute it.
The ok.exe binary functions as a loader that embeds both the main payload and the WinRing0.sys driver. Upon execution, it copies itself to C:\ProgramData\fuekghfebdot\hunyknsmqtgn.exe or C:\ProgramData\ blbsihkzkqxm\wytourcabiik.exe and establishes persistence by creating a service [T1543.003] with a random 8-character uppercase alphabetical name:
It then attempts to cover its tracks by stopping the Windows event log service [T1562.002]:
To remove evidence of the original binary, the malware executes a self-deletion command [T1027.002]. It uses the choice command to introduce a 3-second delay before deleting the file.
Afterward, it spawns a conhost.exe process and injects the main payload into it, [T1055], creating multiple threads that communicate via TCP sockets [T1559]. It also drops the WinRing0.sys driver with a random name to the temp directory. WinRing0.sys is a component commonly used by cryptominers like XMRig to gain low-level access to system resources and improve performance.
The malware ultimately begins mining cryptocurrency [T1496] using the same wallet that was used by the Linux payload.
During our analysis, we identified that one of the attacker’s payloads was hosted on a fake cryptocurrency exchange website, seeyoume[.]top, which claimed affiliation with the Hong Kong Stock Exchange (HKEX). When accessing seeyoume[.]top/sol, we received a fake 404 error page that embedded the same shell script seen in the previously documented instances of the campaign.
Further investigation into the domain led us to a Russian scam alert website, which linked seeyoume[.]top to a broader crypto-scam operation and detailed the scam’s workflow. The alert also referenced additional domains associated with the scam;
arcticoins[.]com
diamondcapitalcrypro[.]com
nordicicoins[.]com
hkcapitals[.]com
diamondcapitalcrypro[.]com was still live and hosted nearly identical fake crypto exchange website, reinforcing the likelihood of a coordinated scam infrastructure.
The Wiz Dynamic Scanner detects publicly exposed PostgreSQL services configured with weak or default credentials within customers' cloud environments. The Wiz agentless workload scanner detects containers and VMs hosting PostgreSQL and identifies if they contain sensitive data or have access to highly privileged service accounts (which could just as easily be abused by opportunistic attackers for purposes other than cryptojacking).
The Wiz Runtime Sensor detects events and behaviors associated with this threat and similar ones, alerting you as the adversary progresses through the attack kill chain: from the exploit to the initial payload delivery, persistence creations and ultimately to the final cryptomining activity.
Below is an example of the initial access vector identified by the detection 'Anomalous shell execution by a database process':
soco.sh script:
| Indicator | Description |
|---|---|
| c9bb137d56fab7d52b3dbc85ae754b79d861a118bfb99566faaa342c978285ff | SHA-256 soco.sh |
| bac4b166dec1df8aa823a15136c82c8b50960b11a0c4da68b8d7dedcb0f3a794 | SHA-256 soco.sh |
| c67e876d7b3ae5f3c4fd626d8ba62e77bd47dfdf51f7a4438edd64bd0f88ce3a | SHA-256 soco.sh |
| 039caa15c1a54b49250717e68cd1a78a4be17b80e8062441c340eba0674e5926 | SHA-256 of ldr.sh |
| 0ad013c5166900b9c57a7ff771dbbf8b11f8a3be46a85cff6ced83ceb1a38f8d | SHA-256 of ldr.sh |
| 5a8e5d7dfc7ccadf8b66fa8b04cf33010f0384072fc9b1fc79e7e1a65a0c701c | SHA-256 of ldr.sh |
| 9055bcd42263d83943358f76b13cdf24079ef9db8a2167658089be5324279485 | SHA-256 of ldr.sh |
| a1fbaee0915edd8568fcea9868fd511adb43faf93bd0abd63788a61febcff13b | SHA-256 of ldr.sh |
| 09e7232ef9322792f6340cc637d3ba2292383c2d353196252bd7a3cf00f4ba0e | SHA-256 of ldr.sh |
| d62c4c621de5e6deee28454413c612cd99511aaa85f9722c1ebadc731d22cab2 | SHA-256 of ldr.sh |
| e7fe0a5c6c198be8941d5a1be7c0669688c45751e9bf0d16a0ae6ae1d0e7a957 | SHA-256 of ELF malware |
| e69e55027bf64011599ae1283d15d157bfefed1c03e20fe72ecf7e90fd451e76 | SHA-256 of ELF malware |
| 424f15e2509ed62c95d5637df0b519c40f73b3cbb00b7a8073ba89ddad7e5dc1 | SHA-256 of ELF malware |
| 22abd35b6afd1909e6d71bd75b2ac23890e2675f9d40e403b0cfd4ed155a96f6 | SHA-256 of ELF malware |
| cbb9d5c601fca0b9b25ec914431abc35c45d5f4c2bbf18e14661aadd8e7e2f47 | SHA-256 of ELF malware |
| 68bb9e294ba7f1b0426e16abbdb5c8f29daa8e8d98aee7a430ead97f2ffadd3a | SHA-256 of ELF malware |
| 8739f0189f64636fab1965bb066ba67a980ecabafd4307f4fb732ffdc154fa04 | SHA-256 of ELF malware |
| 54303aa4f7b7ae3137f5f1368dba6b9b90f7826b8b18132ea495fff29f33f1e4 | SHA-256 of ELF malware |
| 13e3cb74ad420c0770b9fedae617eaf312272db12035e4f64ebb606ac96f6ef0 | SHA-256 of ELF malware |
| 498ecdfce65d739154b39703c63c8f4334066655e1cc8024c2716e280598cacc | SHA-256 of ok.exe Windows malware |
| 8d06979a38ee5ef6f03817a1d16ab75171528cfaf8f743bfe64b45abd6c26142 | SHA-256 of ok.exe Windows malware |
| bf038c13468a9b75278ea198c3d41d4ad4fc14e447d9dd0a94915ce2ab8132e5 | SHA-256 of ok.exe Windows malware |
| a047e82948bf7c43281c975b9588bf5d4500fd671a5e25fc3f9206cbd1827dfd | SHA-256 of ok.exe Windows malware |
| 5b224a091151661943e038066ef03f7b5bab055187f3b1b582dbfe392e74c921 | SHA-256 of appx.exe Windows malware |
| 0086fe6259af25f3b5a12d81080bed61938cc70ebdf480501acc1c10ac39c74a | SHA-256 of os.exe Windows malware |
| 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 | SHA-256 of WinRing0.sys |
| https[:]//sites[.]google[.]com/view/2025soco/ | Payload hosting site |
| https://sites[.]google[.]com/view/dblikes | Payload hosting site |
| https://sites[.]google[.]com/view/sogoto | Payload hosting site |
| https://sites[.]google[.]com/view/osk05 | Payload hosting site |
| www[.]fastsoco[.]top | Payload hosting site |
| dblikes[.]cyou | Payload hosting site |
| seeyoume[.]top | Payload hosting site |
| arcticoins[.]com | Crypto scam domain |
| diamondcapitalcrypro[.]com | Crypto scam domain |
| nordicicoins[.]com | Crypto scam domain |
| hkcapitals[.]com | Crypto scam domain |
| auto.c3pool.org | Mining pool |
| gulf.moneroocean.stream | Mining pool |
| 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK | Attacker’s crypto wallet address |
| 8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ | Attacker’s crypto wallet address |
Command and Control - Ingress Tool Transfer (T1105)
Credential Access - Brute Force: Password Spraying (T1110.003)
Defense Evasion - Impair Defenses: Disable Windows Event Logging (T1562.002)
Defense Evasion - Indicator Removal: Clear Linux or Mac System Logs (T1070.002)
Defense Evasion - Indicator Removal: File Deletion (T1070.004)
Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)
Defense Evasion - Obfuscated Files or Information (T1027.002)
Defense Evasion - Obfuscated Files or Information: HTML Smuggling (T1027.006)
Defense Evasion - Obfuscated Files or Information: Software Packing (T1027.002)
Defense Evasion - Process Injection (T1055)
Execution - Command and Scripting Interpreter: Unix Shell (T1059.004)
Execution - Inter-Process Communication (T1559)
Initial Access - Exploit Public-Facing Application (T1190)
Impact – Resource Hijacking (T1496)
Persistence - Create or Modify System Process: Windows Service (T1543.003)
Persistence - Scheduled Task/Job: Cron (T1053.003)
Persistence - Event Triggered Execution: Unix Shell Configuration Modification (T1546.004)
Resource Development - Acquire Infrastructure: Web Services (T1583.006)
Resource Development - Compromise Infrastructure: Server (T1584.004)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。