Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks

Threat Score:
62
2 articles
85.0% similarity
15 hours ago

Activity Timeline

2 articles
Click to navigate
Jul 25
Jul 25
Oldest
Latest

Key Insights

1
Wiz Research identified the Soco404 cryptomining campaign exploiting misconfigurations in PostgreSQL databases, affecting nearly one-third of self-hosted instances in cloud environments.
2
The campaign deploys platform-specific malware on both Linux and Windows systems, utilizing fake 404 error pages to deliver payloads and process masquerading to hide malicious activities.
3
Attackers exploit PostgreSQL’s COPY FROM PROGRAM feature for remote code execution (MITRE T1190), targeting publicly accessible cloud services.
4
Organizations must immediately secure PostgreSQL instances by restricting access and applying best practices for database configuration to mitigate risks.

Threat Overview

The Soco404 cryptomining campaign has been uncovered, targeting misconfigured PostgreSQL databases and cloud services to deploy malware on Linux and Windows systems [1][2]. Attackers exploit vulnerabilities in publicly accessible instances, using fake error pages to disguise malicious payloads and leveraging PostgreSQL’s COPY FROM PROGRAM for remote code execution [1]. This poses significant risks to organizations, particularly in cloud environments, as nearly one-third of PostgreSQL deployments are affected [1]. Immediate actions include restricting database access, auditing configurations, and applying security best practices to prevent exploitation [2].

Tactics, Techniques & Procedures (TTPs)

T1190
Exploit Public-Facing Application - Exploitation of PostgreSQL misconfigurations for remote code execution [1]
T1055
Process Injection - Process masquerading to disguise malicious activities as legitimate processes [2]
T1071.001
Application Layer Protocol: Web Protocols - Use of HTTP for command and control via fake error pages [2]
T1203.003
Exploit for Client Execution - Delivery of malware through crafted web pages [1]

Timeline of Events

2025-07-25
Wiz Research publicly discloses the Soco404 cryptomining campaign [1][2]
Ongoing
Active exploitation of misconfigured PostgreSQL instances in cloud environments [1][2]
Powered by ThreatCluster AI
Generated 15 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

2 articles
1

Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks

The Hacker News 1 day ago

Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners. The threat activity clusters have been codenamedSoco404andKoskeby cloud security firms Wiz and Aqua, respectively. Soco404 "targets both Linux and Windows systems, deploying platform-specific malware," Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtingersaid. "They use process masquerading to disguise

Score
55
96.0% similarity
Read more
2

Beware of Fake Error Pages Deploying Platform-Specific Malware on Linux and Windows Systems

GB Hackers 1 day ago

Beware of Fake Error Pages Deploying Platform-Specific Malware on Linux and Windows Systems Wiz Research has uncovered an active cryptomining campaign, dubbed Soco404, that exploits misconfigurations in PostgreSQL databases and other cloud services to deploy platform-specific malware on both Linux and Windows systems. This operation, part of a broader crypto-scam infrastructure, leverages opportunistic scanning for exposed services, abusing features like PostgreSQL’s COPY FROM PROGRAM for remote

Score
48
96.0% similarity
Read more