Published on: July 26, 2025
By: CyberDudeBivash Editorial Team
Security researchers at Wiz have uncovered a sophisticated campaignβdubbed Soco404βthat uses weaponized fake 404 error pages to distribute platform-specific malware across Linux and Windows systems.This strategy masks malicious payloads inside error screen HTML, bypassing traditional defenses and launching cryptominers or other malware directly on victim hosts.(turn0search0 / turn0search2)
Attackers scan for publicly exposed PostgreSQL databases and leverage COPY β¦ FROM PROGRAM
to execute arbitrary commands with system-level permissions.(turn0search0)
Victims receive a seemingly harmless 404 page (e.g. https://fastsoco.top/1
) containing base64βencoded payloads that are decoded and executed in-memoryβentirely bypassing disk-based detection.(turn0search0)
soco.sh
): Drops a shell script to download obfuscated ELF binaries, remove competing miners, scrub logs, and install cron-based persistence.ok.exe
): Delivered via certutil, PowerShell, or curl. It disables Windows logging, injects into conhost.exe
, installs a WinRing0.sys driver, then spawns mining workloads.(turn0search2)sdβpam
, [kworker/Rβrcu_p]
), hides under cron jobs and shell init files.COPY FROM PROGRAM
for untrusted users.bash
commands launched from web server context or custom services appearing under Linux kernel-named processes.fastsoco.top
, sites.google.com/view/2025soco/*
.(turn0search0)XMRig
or wallet address activity.Feature | Soco404 Campaign Characteristics |
---|---|
Vector | Fake 404 pages hosting base64-encoded payload |
Platforms | Linux and Windows (dual support) |
Delivery Channels | Hidden behind normal HTML structures |
Persistence Techniques | Cron jobs, shell init, Windows services, process masquerading |
Primary Objective | Cryptomining via CPU/GPU hijack |
Detection Challenges | In-memory execution, base64 embedded content, trusted host domains |
Have you spotted unusual CPU usage on Linux or unexplained conhost.exe
activity on Windows?
Share your observations below or tweet us at @CyberDudeBivash!
For proactive threat intelligence, including malware TTPs and cross-platform intrusion strategies, subscribe to our CyberMagazine: cyberdudebivash.com
Tags: #Soco404 #Cryptomining #FakeErrorPage #CrossPlatformMalware #LinuxThreats #WindowsThreats #InMemoryAttack #Cybersecurity #CyberDudeBivash