Threat actors abuse misconfigurations and living-off-the-land tools—using fake 404 pages and panda JPEG “polyglot” files—to drop miners on Linux and Windows at scale.

Twin campaigns dubbed Soco404 and Koske are compromising cloud workloads through exposed services and clever delivery tricks. Soco404 hides binaries behind fake 404 pages and abuses database features for code execution; Koske delivers in-memory payloads from panda-themed JPEG “polyglot” files. Researchers warn the activity reflects automation and AI-assisted development.

BRUSSELS/NEW YORK — Security teams are tracking two fast-moving cryptomining operations that turn small cloud mistakes into large-scale compromises. In reports published in late July, researchers described Soco404 and Koske as cross-platform threats that pivot from misconfigurations—open PostgreSQL, unauthenticated Jupyter, weak Tomcat—and then persist with minimal disk footprint while siphoning CPU and GPU cycles. “Targets both Linux and Windows systems, deploying platform-specific malware and disguising activity with process masquerading,” said researchers at Wiz, who tied Soco404 to payloads staged on fake Google Sites ‘404’ pages that were later removed.

Soco404 typically arrives after attackers discover an internet-exposed PostgreSQL instance. Using database features such as COPY … FROM PROGRAM, the actor spawns shell commands to curl a dropper into memory, kills competing miners, and installs a loader that phones home to infrastructure masquerading as benign error pages. The loader extracts a Base64-wrapped binary from within the HTML and writes persistence via cron and shell init files; on Windows, the chain leans on PowerShell and certutil, injects into system processes, and tunes the host for mining efficiency.

A separate wave labeled Koske focuses on Linux fleets and leans on unusual file “polyglots.” Rather than classic steganography, the actor appends executable content to JPEGs that remain valid images. Once fetched—often from shortened links on misconfigured Jupyter servers—the images’ trailing bytes are executed in memory to deploy a rootkit and a miner. “This isn’t steganography but rather polyglot file abuse—JPEGs that are both valid images and executables, allowing attackers to deliver rootkits directly in memory,” said Assaf Morag, lead threat researcher at Aqua Security. Aqua’s analysis notes modular scripts, verbose comments, and adaptive logic—hallmarks of LLM-assisted development—helping Koske profile hardware and switch coins or pools when blocked.

Researchers and incident responders say the campaigns illustrate a shift from zero-days to zero-hygiene. Poorly segmented VPCs, permissive egress, and weak admin MFA let a miner incident evolve into persistent beachheads. “AI-assisted malware is no longer a curiosity; Koske demonstrates how criminals can leverage AI-generated code for persistence and modular cryptomining,” noted industry researchers cited by trade press. That speed of iteration, they warn, reduces defenders’ window to detect before costs spike.

For cloud operators, the mechanics are painfully familiar. One exposed service invites an automated scan; within minutes a one-liner pulls a dropper from a compromised site; persistence lands in systemd or cron while processes camouflage as sd-pam or [kworker/*]; logs are trimmed; miners connect to public pools and throttle to avoid alarms. If defenders only look for data theft, they miss the longer-term business risk: reliable remote execution on admin-adjacent hosts that could later deliver ransomware or scrape credentials.

El Mostafa Ouchen, cybersecurity author and educator, said the episodes mark “a pivot from finesse to industrialization.” In his words: “Soco404 and Koske weaponize cloud mistakes—open services, default creds, weak egress—then hide in plain sight. The fastest wins now are egress control, phishing-resistant MFA for admins, and runtime detection that flags shells spawning from databases or notebooks.”

What to do now: Lock down PostgreSQL (no public exposure; strong auth; disable or constrain COPY FROM PROGRAM), require SSO with phishing-resistant MFA on Jupyter and admin consoles, and filter egress so workloads can’t fetch binaries from URL shorteners or unknown CDNs. Hunt for shells spawned by DB/notebook processes, edits to .bashrc/.profile//etc/rc.local, suspicious systemd units, and traffic to mining pools. On Windows, look for certutil/PowerShell chains, driver drops (e.g., WinRing0.sys), and unusual CPU affinity changes.

Wiz links Soco404 infrastructure to compromised legitimate domains and earlier brute-force activity against web middleware. Aqua traces Koske to misconfigured services and emphasizes in-memory execution and polyglot delivery. Both campaigns were disclosed in the last week of July, adding to a summer of cloud-targeted abuse where automation and AI help criminals scale faster than patch cycles.

Soco404 and Koske confirm that exposure + automation beats sophistication in today’s cloud threat model. Tightening identity, segmenting data paths, and refusing default outbound freedom for workloads will blunt most of this class—often before the first hash is computed. The rest is detection discipline: watch for weird shells from “not-shell” processes, then evict fast and rotate everything.

Indicators of Compromise (IoCs)

Soco404 (Wiz)

Hashes (samples):

• soco.sh (droppers): c9bb137d56fa...285ff, bac4b166dec1...a794, c67e876d7b3a...ce3a wiz.io
• ldr.sh (loaders): 039caa15c1a5...5926, 0ad013c51669...8f8d, 5a8e5d7dfc7c...701c (and others) wiz.io
• Linux ELF payloads (samples): e7fe0a5c6c19...a957, e69e55027bf6...e76, 424f15e2509e...5dc1 wiz.io
• Windows loaders/payloads:
  • ok.exe: 498ecdfce65d...8acc, 8d06979a38ee...6142, bf038c13468a...e5, a047e82948bf...7dfd wiz.io
  • appx.exe: 5b224a091151...c921; os.exe: 0086fe6259af...c74a wiz.io
  • Driver: WinRing0.sys SHA-256 11bd2c9f9e23...0ee5 wiz.io

Payload/hosting infrastructure:

• Google Sites 404 payload pages:
  • https[:]//sites[.]google[.]com/view/2025soco/
  • https[:]//sites[.]google[.]com/view/dblikes
  • https[:]//sites[.]google[.]com/view/sogoto
  • https[:]//sites[.]google[.]com/view/osk05 wiz.io
• Dedicated/fake 404 domains: www[.]fastsoco[.]top, dblikes[.]cyou, seeyoume[.]top wiz.io
• Related crypto-scam domains: arcticoins[.]com, diamondcapitalcrypro[.]com, nordicicoins[.]com, hkcapitals[.]com wiz.io

Mining infrastructure / wallets:

• Pools: auto.c3pool.org, gulf.moneroocean.stream
• Wallets:
  • 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK
  • 8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ wiz.io

Telltale artifacts:

• Linux process masquerading: sd-pam, [kworker/*]
• Windows chain: certutil/PowerShell → ok.exe → service creation with random name → conhost.exe injection; stops eventlog service; drops WinRing0.sys. wiz.io

Koske (Aqua Nautilus)

Network / delivery:

• Attacker IP: 178.220.112.53 (initial access to misconfigured JupyterLab) Aqua
• Shorteners & image hosts used to deliver “panda” JPEG polyglots:
  • https[:]//k0ske.short.gy/panda_v14
  • http[:]//tiny.cc/panda-v14
  • https[:]//iili.io/FhFK3Eg.jpg
  • https[:]//i.imgs.ovh/2025/07/17/DmvmA.jpeg, https[:]//i.imgs.ovh/2025/07/17/DGlLc.jpeg Aqua

Malware components (MD5 examples):

• Rootkit hideproc.so: 63e613cab023c023d74e9dc8e0168e54
• Object ccTltpHf.o: 2ed2e0e3d1ccfc20de48fa6bf49e6c89
• Rootkit source hideproc.c: 76c5d978d6ef48af4350a12f238e48c4
• Miners: ccminer 6e9929b127afc5b4351ba3318e2178dc; cpuMinerTermux.koske 305264d95d5056bc5de3a0b683bcd7eb Aqua

Persistence & evasion artifacts:

• Linux persistence: edits to .bashrc, .bash_logout, /etc/rc.local; cron jobs; systemd unit shellkoske.service
• Evasion: rootkit hiding files/processes (LD_PRELOAD-style), in-memory execution of payloads appended to JPEGs (polyglot abuse, not stego). Aqua

MITRE ATT&CK® Mappings

Soco404 (per Wiz)

• Initial Access: Exploit Public-Facing Application (T1190); Brute Force: Password Spraying (T1110.003) wiz.io
• Execution: Command & Scripting Interpreter—Unix Shell (T1059.004); Inter-Process Communication (T1559) wiz.io
• Persistence: Scheduled Task/Job—Cron (T1053.003); Event-Triggered Execution—Unix Shell Config Mod (T1546.004); Create/Modify System Process—Windows Service (T1543.003) wiz.io
• Defense Evasion: Masquerading (T1036.005); Obfuscated/Compressed Files (T1027/T1027.002); HTML Smuggling (T1027.006); Clear Logs (T1070.002); Delete Artifacts (T1070.004); Disable Security/Logging (T1562.002) wiz.io
• Command & Control: Ingress Tool Transfer (T1105) wiz.io
• Impact: Resource Hijacking (T1496) wiz.io

Koske (from Aqua’s technique discussion)

• Initial Access: Exploit Public-Facing Application / Misconfiguration (JupyterLab) (T1190) Aqua
• Execution: Command & Scripting Interpreter—Unix Shell (T1059.004); User Execution of Malicious File (polyglot JPEG delivery) (T1204) Aqua
• Persistence: Create/Modify System Process—Systemd Service (T1543.002); Scheduled Task/Job—Cron (T1053.003); Event-Triggered Execution—Unix Shell Config Mod (T1546.004) Aqua
• Defense Evasion: Rootkit (T1014); Hide Artifacts (T1564); Obfuscated/Compressed Files & In-Memory Execution (T1027) Aqua
• Discovery/Resource: Query System/Hardware to pick CPU/GPU miner (T1082/T1496) Aqua
• Impact: Resource Hijacking (T1496) Aqua

Note: ATT&CK technique IDs reflect the current Enterprise matrix. Aqua’s post includes a “Mapping the Campaign to MITRE ATT&CK” section; where IDs weren’t explicitly printed, the mappings above follow Aqua’s descriptions of behaviors. Aqua

Quick defender tips (operationalizing these IoCs)

• Block/monitor egress to the specific Google Sites paths, fastsoco[.]top, dblikes[.]cyou, seeyoume[.]top, and image-host/shortener combos used by Koske (e.g., iili.io, i.imgs.ovh, postimages.org, tiny.cc, short.gy). wiz.ioAqua
• Alert on shells spawned by database or notebook processes; edits to .bashrc, .profile, /etc/rc.local; creation of systemd units like shellkoske.service; Windows eventlog stops; conhost.exe injection; and WinRing0.sys drops. wiz.ioAqua

sources: Wiz (Soco404 technical analysis), Aqua Security (Koske technical analysis), and The Hacker News’ summary linking both campaigns. wiz.ioAquaThe Hacker News

Two-day February intrusion leaked financial and medical details; group begins notifications and offers credit monitoring as regulators are alerted.

The Business Council of New York State disclosed a February cyberattack that exposed data on 47,329 people, including Social Security numbers, bank and card details, and some medical information. The statewide employer association said it contained the incident, notified authorities, and began mailing notices with credit-monitoring offers after confirming the scope on Aug. 4.

ALBANY, N.Y. — The Business Council of New York State (BCNYS) said a cyberattack between Feb. 24–25, 2025 gave an unauthorized party access to internal systems and files affecting 47,329 individuals, exposing highly sensitive personal, financial, and some protected health information. The organization began notifying affected people on Aug. 15 and is providing credit monitoring.

BCNYS completed its investigation on Aug. 4, concluding that the attackers accessed or acquired files containing combinations of names, Social Security numbers, dates of birth, state ID numbers, bank and routing numbers, payment card numbers, PINs and expiration dates, taxpayer identification numbers, electronic signature data, and in some cases diagnoses, prescriptions, treatments, procedures, and health insurance information. “We have no evidence of financial or medical fraud or identity theft related to this incident,” the organization said in its formal notice.

The council, which represents more than 3,000 organizations employing over 1.2 million New Yorkers, said it contained the incident and engaged outside forensics experts after detecting the intrusion. “An unauthorized party gained access to a limited number of internal systems from approximately February 24 to February 25, 2025,” BCNYS wrote in notices filed with state regulators.

The Record, which first reported the scale and breadth of the exposed data, said notifications are being made in multiple states as required by law.

“An unauthorized party gained access to a limited number of internal systems from approximately February 24, 2025 to February 25, 2025,” BCNYS said, noting it immediately contained the activity and launched a forensic investigation.

“To date, we have no evidence of financial or medical fraud or identity theft related to this incident,” the council added, while urging vigilance and offering complimentary credit monitoring to those whose Social Security numbers were impacted.

“Get a fraud alert or security freeze, monitor financial and medical statements, and consider an IRS Identity Protection PIN where appropriate,” the notices advise recipients, emphasizing steps to mitigate identity and medical fraud.

Technical Analysis

Timeline & scope: Forensic review indicates a two-day dwell time (Feb. 24–25) with exfiltration of stored files confirmed on Aug. 4. The data types point to compromise of file repositories or application data exports used for membership administration, benefits programs, and payments—rather than credential vaults. BCNYS has not publicly identified the initial access vector or threat actor.

Risk profile: The mix of PII + financial + medical records raises multi-vector fraud risks (new-account fraud, ACH fraud, tax refund fraud, and medical identity theft). Exposure of electronic signature information and taxpayer IDs further increases downstream abuse potential.

Mitigations in motion: BCNYS reports network containment, third-party forensics, and ongoing hardening of internal controls. Notices include credit monitoring and consumer protection steps consistent with state breach-notification guidance.

Impact & Response

Who is affected: 47,329 individuals across several states, including at least 17 Rhode Island residents, according to regulator notices.

What BCNYS is doing: Rolling notifications by mail, a dedicated call center, and free credit monitoring (IDX) for impacted individuals; continued cooperation with authorities and security enhancements.

What people should do now: Place fraud alerts or freezes, monitor bank and card statements, review Explanation of Benefits for suspicious medical claims, and consider IRS IP PINs to prevent tax-refund fraud.

The council advocates for business interests in Albany and runs programs—including group insurance—for members statewide. Recent months have seen a steady cadence of U.S. nonprofit and association breaches where membership, benefits, and payments data are centralized in limited internal systems—attractive targets for data-theft monetization.

The BCNYS breach underscores a persistent exposure for associations and nonprofits: high-value data concentration in small IT estates. With a short intrusion window but broad data impact, the incident highlights the need for continuous monitoring, segmented data stores, least-privilege vendor access, and rapid exfiltration detection—alongside consumer-grade remedies that blunt identity and medical fraud.

Sources:

• The Record: “Business Council of New York State says nearly 50,000 had data leaked in February cyberattack.” The Record from Recorded Future
• BCNYS “Notice of Data Security Incident” (updated Aug. 15, 2025). bcnys.org
• Massachusetts AG filing / notification letter (Aug. 15, 2025).

Leaked SIM and PUK data heighten SIM-swapping risks as critics fault Orange’s response; company says no passwords, emails or banking data were taken.

Orange Belgium disclosed that a cyberattack in late July exposed personal data tied to about 850,000 customer accounts, including SIM card numbers and PUK codes—information that could aid SIM-swapping fraud. The carrier notified authorities and customers, tightened security, and stressed that no passwords, emails or financial data were compromised.

BRUSSELS — Orange Belgium said a July cyberattack compromised data for roughly 850,000 customer accounts, including SIM and PUK information, prompting warnings from security experts about elevated SIM-swapping risks across the country.

Orange Belgium detected the intrusion at the end of July, blocked access to the affected system, informed authorities, and filed an official complaint with judicial authorities. Exposed fields include name, phone number, SIM card number, PUK code and tariff plan. Orange emphasized that passwords, email addresses, and financial data were not accessed.

The operator said some services could be affected while it responds to the incident, but did not disclose the specific attack method. The disclosure follows a July cyber incident at Orange Group and a broader wave of attacks on European telecoms.

Security researchers warned that leaking SIM identifiers and PUK codes can facilitate social-engineering and account-takeover attempts. In a widely shared post, Inti De Ceukelaire, chief hacker at bug-bounty platform Intigriti, called Orange’s response “very disappointing,” accusing the company of following “the same old corporate PR playbook” that shifts risk to customers.

• Orange Belgium (statement): “At the end of July, Orange Belgium detected a cyberattack… resulting in unauthorized access to certain data from 850,000 customer accounts.”
• Inti De Ceukelaire (Intigriti): Orange’s handling was “very disappointing,” following “the same old corporate PR playbook,” and downplaying SIM-swapping and number-theft risks.
• Europol (on SIM-swap method): SIM-swap fraud occurs when criminals “dupe the victim’s mobile phone operator into porting the victim’s mobile number to a SIM” they control.
• “Leaking SIM and PUK data materially raises account-takeover risk. Carriers should enable port-out freezes by default, and customers should move off SMS codes to app-based or hardware-key MFA immediately.” — El Mostafa Ouchen, cybersecurity author & educator

What likely happened:
Orange has not disclosed the intrusion vector. Given the data types exposed (customer identifiers and SIM/PUK data), plausible avenues include compromise of a customer-care or provisioning system, exposed credentials to an internal CRM/API, or a third-party vendor with access to SIM management data. No evidence has been provided of ransomware or data-destroying activity. (Orange says it knows which system was accessed but has not named the attacker.)

Why SIM/PUK exposure matters:

• SIM number + PUK can support social-engineering against carriers, easing fraudulent number transfers or PIN resets. Once a number is taken over, attackers intercept SMS codes for banking and email resets.
• Europol has documented substantial losses from SIM-swap operations, which typically begin with identity data and end with account takeovers.

Mitigations (carrier & customer):

• Carrier: Enforce strict port-out verification; flag high-risk accounts; rate-limit SIM profile changes; require in-app or out-of-band confirmations; monitor for abnormal SIM-swap velocity.
• Customer: Add a SIM/account PIN and enable “number transfer protection”; switch from SMS to app-based or FIDO2 security keys; monitor bank/email for unusual activity; consider requesting a new SIM from the carrier.

Impact & Response

Who’s affected: Approximately 850,000 Orange Belgium customer accounts. Orange is notifying customers by SMS/email and coordinating with Belgian authorities.

Immediate actions: Isolation of the affected system, tightened security controls, customer communications, and law-enforcement engagement. The company cautioned potential service impacts during remediation.

Long-term implications:
Telecom data stores—especially SIM provisioning environments—remain attractive targets. Similar incidents across Europe and at Orange affiliates this year point to persistent attacker focus on telco identity footholds.

The disclosure comes amid repeated attacks on European telecoms and follows Orange Group’s separate July incident. Independent outlets and researchers this week echoed warnings that SIM-swapping risk rises when SIM/PUK data is exposed, even if passwords or bank details were not taken.

The Orange Belgium breach underscores a growing telecom security challenge: safeguarding identity-critical metadata that can unlock downstream fraud. Carriers will face pressure to harden SIM-management workflows, while consumers should immediately upgrade their authentication practices and request stronger port-out protections.

Source: Politico Europe — “Almost 1 million Belgian users hit in Orange cyberattack.”

Orange Belgium — Company statement/notices on July cyber incident and affected data fields.

Europol — Public guidance explaining SIM-swap fraud tactics and risks.