A new breed of cryptojacking malware is rewriting the playbook on stealth attacks. Dubbed Soco404, this campaign leverages 404 error pages, misconfigured PostgreSQL servers, and compromised web infrastructure to mine cryptocurrency across both Linux and Windows systems—without raising traditional red flags.

Malware Hiding in Plain Sight: The 404 Trick

Unlike conventional malware droppers or phishing tactics, Soco404 embeds its Base64-encoded payloads directly inside 404 error pages. These payloads are cleverly disguised within normal-looking HTML tags, making them nearly invisible to standard URL filtering tools and static scanners.

Researchers at Wiz.io discovered that these error pages, hosted on Google Sites and compromised Apache Tomcat servers, serve as the delivery mechanism. Once opened by unsuspecting or automated processes, they quietly detonate cryptomining scripts on the target system—siphoning CPU cycles for profit.

Evolution of a Miner Bot

Soco404 is not entirely new. Investigators believe it evolved from earlier miner bot campaigns that exploited:

• Weak Tomcat credentials

• Unpatched Atlassian Confluence instances

However, the latest iteration—surfacing in mid-2025—has refined its tactics and broadened its reach.

Exploiting PostgreSQL: The Power of COPY FROM PROGRAM

A standout technique in Soco404’s arsenal is the abuse of PostgreSQL’s COPY FROM PROGRAM feature, which allows execution of system commands through the database interface. Attackers scan for publicly exposed PostgreSQL services—a risk that affects nearly one-third of cloud deployments.

Once inside a vulnerable instance, the malware uses this feature to pivot laterally across environments, spinning up new miners in Linux and Windows hybrid estates.

Infection Path and Persistence

Beyond cloud databases, the adversary uses already-compromised web servers as infrastructure, allowing them to blend into legitimate traffic. Some of these servers include Korean transportation websites, which now silently serve:

• soco.sh for Linux systems

• ok.exe for Windows systems

Once executed, the malware:

• Deletes itself to hinder forensic analysis

• Masquerades as system processes like sd-pam, kworker/R-rcu_p, or randomly named Windows services

• Schedules cron jobs and shell init hooks

• Disables Windows Event Logs to avoid detection

Signs of Infection

This campaign is designed to operate below the radar. Most victims don’t realize they’re infected until they notice:

• A gradual spike in electricity usage

• Performance degradation

• No alerts or alarms on security dashboards

The attackers’ goal is to quietly mine cryptocurrency at scale, avoiding immediate shutdown or attention.

Defensive Measures

To reduce exposure to Soco404 and similar campaigns, organizations should:

1. Audit public-facing services, especially PostgreSQL and Tomcat instances

2. Disable COPY FROM PROGRAM in PostgreSQL when not explicitly needed

3. Patch known vulnerabilities in web servers and frameworks

4. Monitor for unusual CPU usage spikes and resource drains

5. Inspect web server traffic for unexpected error page activity or embedded scripts

Soco404 exemplifies the evolving nature of cryptojacking threats—where simplicity, stealth, and system misconfiguration combine for devastating effect. By hijacking 404 pages and exploiting overlooked database features, the campaign highlights just how far threat actors are willing to go to remain undetected.

As always, proactive monitoring, tight configurations, and threat intelligence are critical in staying ahead of modern malware campaigns like Soco404.