Cloud Malware Spreads Cryptominers

Posted on By Finstein.ai No Comments on Cloud Malware Spreads Cryptominers

Soco404 and Koske exploit configs with fake pages, mining on global cloud systems
July 2025

Security researchers have uncovered two separate malware campaigns — Soco404 and Koske — that exploit vulnerabilities and misconfigurations in cloud environments to install cryptocurrency miners on both Linux and Windows systems.

Soco404 Campaign

Attributed to threat actors tracked by Wiz, Soco404 targets exposed services across Linux and Windows by embedding malicious payloads in fake 404 pages hosted on Google Sites. The campaign uses process masquerading to make malware appear like legitimate system processes.

Key attack vectors include:

  • Apache Tomcat, Apache Struts, and Atlassian Confluence servers with weak credentials.
  • PostgreSQL databases, using the COPY … FROM PROGRAM command to execute shell commands.
  • Hacked Korean transportation websites for malware delivery.

On Linux:

  • Payloads are executed in memory.
  • Competing miners are terminated.
  • System logs (e.g., cron, wtmp) are overwritten to evade forensics.

On Windows:

  • The malware downloads a binary containing a WinRing0.sys driver to escalate to NT\SYSTEM.
  • It disables event logs and self-deletes to avoid detection.

The campaign’s infrastructure includes domains like www.fastsoco[.]top, and its approach is highly automated and opportunistic, using tools such as wget, curl, certutil, and PowerShell.

Koske Campaign

Discovered by Aqua Security, Koske is a Linux-only malware that abuses polyglot image files — valid-looking JPEGs of pandas with embedded malware.

Attack details:

  • Initiated via misconfigured servers like JupyterLab.
  • Loads a C-based rootkit using LD_PRELOAD to hide files and activity.
  • Directly executes crypto-mining payloads in memory.
  • Targets CPU and GPU resources to mine 18+ coins (e.g., Monero, Ravencoin, Nexa, Zano, Tari).

These polyglot files are not steganographic but embed shellcode in the image’s trailing bytes, which are extracted and executed, effectively bypassing traditional antivirus defenses.

Futureproof your systems. One update can stop a disaster.

praveen@finstein.ai | https://cyber.finstein.ai/

Source : Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks

#Soco404#KoskeMalware#CryptoMiningMalware#Cryptojacking#CloudSecurityThreats#MalwareCampaign#ThreatDetection#MalwareAnalysis#MemoryInjection#RootkitAttack

Cloud Malware Cybersecurity

Cyber

Related Posts

Weekly Cyber Intelligence Brief Global Threats & Breaches Cyber
Cybersecurity Intelligence Weekly, Global Threat Landscape (Sept 1–7, 2025) Cyber
Iranian Cyber Offensive Shows Unprecedented Coordination Cyber
CAPTCHA geddon’ Click Fix Malware Campaign Emerges Captcha
Critical Flaws in Claude AI Code Assistant Patched Ai
Cyber Breach Disrupts NCLT Kolkata Virtual Hearing Cyber

Leave a Reply

Your email address will not be published. Required fields are marked *