Threat actors abuse misconfigurations and living-off-the-land tools—using fake 404 pages and panda JPEG “polyglot” files—to drop miners on Linux and Windows at scale.

Twin campaigns dubbed Soco404 and Koske are compromising cloud workloads through exposed services and clever delivery tricks. Soco404 hides binaries behind fake 404 pages and abuses database features for code execution; Koske delivers in-memory payloads from panda-themed JPEG “polyglot” files. Researchers warn the activity reflects automation and AI-assisted development.

BRUSSELS/NEW YORK — Security teams are tracking two fast-moving cryptomining operations that turn small cloud mistakes into large-scale compromises. In reports published in late July, researchers described Soco404 and Koske as cross-platform threats that pivot from misconfigurations—open PostgreSQL, unauthenticated Jupyter, weak Tomcat—and then persist with minimal disk footprint while siphoning CPU and GPU cycles. “Targets both Linux and Windows systems, deploying platform-specific malware and disguising activity with process masquerading,” said researchers at Wiz, who tied Soco404 to payloads staged on fake Google Sites ‘404’ pages that were later removed.

Soco404 typically arrives after attackers discover an internet-exposed PostgreSQL instance. Using database features such as COPY … FROM PROGRAM, the actor spawns shell commands to curl a dropper into memory, kills competing miners, and installs a loader that phones home to infrastructure masquerading as benign error pages. The loader extracts a Base64-wrapped binary from within the HTML and writes persistence via cron and shell init files; on Windows, the chain leans on PowerShell and certutil, injects into system processes, and tunes the host for mining efficiency.

A separate wave labeled Koske focuses on Linux fleets and leans on unusual file “polyglots.” Rather than classic steganography, the actor appends executable content to JPEGs that remain valid images. Once fetched—often from shortened links on misconfigured Jupyter servers—the images’ trailing bytes are executed in memory to deploy a rootkit and a miner. “This isn’t steganography but rather polyglot file abuse—JPEGs that are both valid images and executables, allowing attackers to deliver rootkits directly in memory,” said Assaf Morag, lead threat researcher at Aqua Security. Aqua’s analysis notes modular scripts, verbose comments, and adaptive logic—hallmarks of LLM-assisted development—helping Koske profile hardware and switch coins or pools when blocked.

Researchers and incident responders say the campaigns illustrate a shift from zero-days to zero-hygiene. Poorly segmented VPCs, permissive egress, and weak admin MFA let a miner incident evolve into persistent beachheads. “AI-assisted malware is no longer a curiosity; Koske demonstrates how criminals can leverage AI-generated code for persistence and modular cryptomining,” noted industry researchers cited by trade press. That speed of iteration, they warn, reduces defenders’ window to detect before costs spike.

For cloud operators, the mechanics are painfully familiar. One exposed service invites an automated scan; within minutes a one-liner pulls a dropper from a compromised site; persistence lands in systemd or cron while processes camouflage as sd-pam or [kworker/*]; logs are trimmed; miners connect to public pools and throttle to avoid alarms. If defenders only look for data theft, they miss the longer-term business risk: reliable remote execution on admin-adjacent hosts that could later deliver ransomware or scrape credentials.

El Mostafa Ouchen, cybersecurity author and educator, said the episodes mark “a pivot from finesse to industrialization.” In his words: “Soco404 and Koske weaponize cloud mistakes—open services, default creds, weak egress—then hide in plain sight. The fastest wins now are egress control, phishing-resistant MFA for admins, and runtime detection that flags shells spawning from databases or notebooks.”

What to do now: Lock down PostgreSQL (no public exposure; strong auth; disable or constrain COPY FROM PROGRAM), require SSO with phishing-resistant MFA on Jupyter and admin consoles, and filter egress so workloads can’t fetch binaries from URL shorteners or unknown CDNs. Hunt for shells spawned by DB/notebook processes, edits to .bashrc/.profile//etc/rc.local, suspicious systemd units, and traffic to mining pools. On Windows, look for certutil/PowerShell chains, driver drops (e.g., WinRing0.sys), and unusual CPU affinity changes.

Wiz links Soco404 infrastructure to compromised legitimate domains and earlier brute-force activity against web middleware. Aqua traces Koske to misconfigured services and emphasizes in-memory execution and polyglot delivery. Both campaigns were disclosed in the last week of July, adding to a summer of cloud-targeted abuse where automation and AI help criminals scale faster than patch cycles.

Soco404 and Koske confirm that exposure + automation beats sophistication in today’s cloud threat model. Tightening identity, segmenting data paths, and refusing default outbound freedom for workloads will blunt most of this class—often before the first hash is computed. The rest is detection discipline: watch for weird shells from “not-shell” processes, then evict fast and rotate everything.

Indicators of Compromise (IoCs)

Soco404 (Wiz)

Hashes (samples):

• soco.sh (droppers): c9bb137d56fa...285ff, bac4b166dec1...a794, c67e876d7b3a...ce3a wiz.io
• ldr.sh (loaders): 039caa15c1a5...5926, 0ad013c51669...8f8d, 5a8e5d7dfc7c...701c (and others) wiz.io
• Linux ELF payloads (samples): e7fe0a5c6c19...a957, e69e55027bf6...e76, 424f15e2509e...5dc1 wiz.io
• Windows loaders/payloads:
  • ok.exe: 498ecdfce65d...8acc, 8d06979a38ee...6142, bf038c13468a...e5, a047e82948bf...7dfd wiz.io
  • appx.exe: 5b224a091151...c921; os.exe: 0086fe6259af...c74a wiz.io
  • Driver: WinRing0.sys SHA-256 11bd2c9f9e23...0ee5 wiz.io

Payload/hosting infrastructure:

• Google Sites 404 payload pages:
  • https[:]//sites[.]google[.]com/view/2025soco/
  • https[:]//sites[.]google[.]com/view/dblikes
  • https[:]//sites[.]google[.]com/view/sogoto
  • https[:]//sites[.]google[.]com/view/osk05 wiz.io
• Dedicated/fake 404 domains: www[.]fastsoco[.]top, dblikes[.]cyou, seeyoume[.]top wiz.io
• Related crypto-scam domains: arcticoins[.]com, diamondcapitalcrypro[.]com, nordicicoins[.]com, hkcapitals[.]com wiz.io

Mining infrastructure / wallets:

• Pools: auto.c3pool.org, gulf.moneroocean.stream
• Wallets:
  • 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK
  • 8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ wiz.io

Telltale artifacts:

• Linux process masquerading: sd-pam, [kworker/*]
• Windows chain: certutil/PowerShell → ok.exe → service creation with random name → conhost.exe injection; stops eventlog service; drops WinRing0.sys. wiz.io

Koske (Aqua Nautilus)

Network / delivery:

• Attacker IP: 178.220.112.53 (initial access to misconfigured JupyterLab) Aqua
• Shorteners & image hosts used to deliver “panda” JPEG polyglots:
  • https[:]//k0ske.short.gy/panda_v14
  • http[:]//tiny.cc/panda-v14
  • https[:]//iili.io/FhFK3Eg.jpg
  • https[:]//i.imgs.ovh/2025/07/17/DmvmA.jpeg, https[:]//i.imgs.ovh/2025/07/17/DGlLc.jpeg Aqua

Malware components (MD5 examples):

• Rootkit hideproc.so: 63e613cab023c023d74e9dc8e0168e54
• Object ccTltpHf.o: 2ed2e0e3d1ccfc20de48fa6bf49e6c89
• Rootkit source hideproc.c: 76c5d978d6ef48af4350a12f238e48c4
• Miners: ccminer 6e9929b127afc5b4351ba3318e2178dc; cpuMinerTermux.koske 305264d95d5056bc5de3a0b683bcd7eb Aqua

Persistence & evasion artifacts:

• Linux persistence: edits to .bashrc, .bash_logout, /etc/rc.local; cron jobs; systemd unit shellkoske.service
• Evasion: rootkit hiding files/processes (LD_PRELOAD-style), in-memory execution of payloads appended to JPEGs (polyglot abuse, not stego). Aqua

MITRE ATT&CK® Mappings

Soco404 (per Wiz)

• Initial Access: Exploit Public-Facing Application (T1190); Brute Force: Password Spraying (T1110.003) wiz.io
• Execution: Command & Scripting Interpreter—Unix Shell (T1059.004); Inter-Process Communication (T1559) wiz.io
• Persistence: Scheduled Task/Job—Cron (T1053.003); Event-Triggered Execution—Unix Shell Config Mod (T1546.004); Create/Modify System Process—Windows Service (T1543.003) wiz.io
• Defense Evasion: Masquerading (T1036.005); Obfuscated/Compressed Files (T1027/T1027.002); HTML Smuggling (T1027.006); Clear Logs (T1070.002); Delete Artifacts (T1070.004); Disable Security/Logging (T1562.002) wiz.io
• Command & Control: Ingress Tool Transfer (T1105) wiz.io
• Impact: Resource Hijacking (T1496) wiz.io

Koske (from Aqua’s technique discussion)

• Initial Access: Exploit Public-Facing Application / Misconfiguration (JupyterLab) (T1190) Aqua
• Execution: Command & Scripting Interpreter—Unix Shell (T1059.004); User Execution of Malicious File (polyglot JPEG delivery) (T1204) Aqua
• Persistence: Create/Modify System Process—Systemd Service (T1543.002); Scheduled Task/Job—Cron (T1053.003); Event-Triggered Execution—Unix Shell Config Mod (T1546.004) Aqua
• Defense Evasion: Rootkit (T1014); Hide Artifacts (T1564); Obfuscated/Compressed Files & In-Memory Execution (T1027) Aqua
• Discovery/Resource: Query System/Hardware to pick CPU/GPU miner (T1082/T1496) Aqua
• Impact: Resource Hijacking (T1496) Aqua

Note: ATT&CK technique IDs reflect the current Enterprise matrix. Aqua’s post includes a “Mapping the Campaign to MITRE ATT&CK” section; where IDs weren’t explicitly printed, the mappings above follow Aqua’s descriptions of behaviors. Aqua

Quick defender tips (operationalizing these IoCs)

• Block/monitor egress to the specific Google Sites paths, fastsoco[.]top, dblikes[.]cyou, seeyoume[.]top, and image-host/shortener combos used by Koske (e.g., iili.io, i.imgs.ovh, postimages.org, tiny.cc, short.gy). wiz.ioAqua
• Alert on shells spawned by database or notebook processes; edits to .bashrc, .profile, /etc/rc.local; creation of systemd units like shellkoske.service; Windows eventlog stops; conhost.exe injection; and WinRing0.sys drops. wiz.ioAqua

sources: Wiz (Soco404 technical analysis), Aqua Security (Koske technical analysis), and The Hacker News’ summary linking both campaigns. wiz.ioAquaThe Hacker News