Double Threat: Soco404 and Koske Malware Campaigns Hijack Cloud Servers for Crypto Mining

Listen to this Post

Featured Image

Hidden Crypto Heists in the Cloud: Introduction

In the ever-evolving battlefield of cybersecurity, two sophisticated malware campaigns — Soco404 and Koske — have emerged as potent threats targeting cloud infrastructures. These campaigns are designed not just to infiltrate, but to persistently exploit misconfigured or vulnerable servers across both Linux and Windows systems. Their ultimate goal? Hijack computational power to mine cryptocurrency, all while flying under the radar of traditional security tools. Powered by evasive techniques and a wide range of attack vectors, these campaigns expose how modern cybercriminals use automation, polymorphic files, and advanced privilege escalation methods to profit in the shadows.

the Threat Landscape

Two separate yet equally dangerous malware operations — Soco404 by Wiz and Koske by Aqua Security — are targeting misconfigured cloud systems to deploy cryptocurrency mining payloads. Both campaigns exploit known weaknesses in cloud environments, notably in Apache Tomcat, Atlassian Confluence, Apache Struts, PostgreSQL, and JupyterLab servers.

Soco404 is highly adaptable, affecting both Linux and Windows systems. It masquerades malicious processes as legitimate ones, hosts its payloads on fake 404 error pages using Google Sites, and has previously exploited known services via the Sysrv botnet. Once initial access is gained, attackers use the PostgreSQL COPY ... FROM PROGRAM SQL command to execute remote shell commands, escalating access and deploying miners. These miners are dropped directly into system memory using tools like wget, curl, certutil, and PowerShell, and even attempt to eliminate rival miners and erase forensic evidence by overwriting key system logs.

In Linux, the payload loader downloads from www.fastsoco[.]top, while on Windows, it drops a binary bundled with WinRing0.sys to gain NT\SYSTEM privileges, shut down event logs, and remove traces of itself post-execution.

Koske, on the other hand, uses a more creative approach — leveraging JPEG images embedded with malicious shellcode. These polyglot files are hosted on misconfigured JupyterLab servers and contain both a C-based rootkit and a shell script for cryptominer delivery. The malware is stealthy, executing everything in memory and avoiding disk writes to evade detection.

Koske’s main goal is to maximize mining output by using both the CPU and GPU to mine 18 different cryptocurrencies, including Monero, Ravencoin, Zano, Nexa, and Tari. This campaign is thought to have leveraged large language models (LLMs) in its development, enhancing its polymorphic behavior and evasion techniques.

Both threats use flexible, multi-platform, automated strategies to maintain persistence, achieve privilege escalation, and exploit every available vulnerability for long-term monetization through cryptomining.

What Undercode Say: 🔍 Deep Analysis & Strategic Breakdown

The Evolution of Cloud Exploits

Soco404 and Koske underscore the evolving threat actors’ move from simple botnets to cross-platform, automated, and polymorphic malware that weaponizes cloud misconfigurations and vulnerable services. These campaigns show a deep understanding of enterprise environments, exploiting PostgreSQL, Apache servers, and even legitimate sites like Google Sites and a Korean transportation website to deliver malware.

Use of Legitimate Tools for Malicious Purposes

These campaigns smartly use native system tools like certutil on Windows and curl/wget on Linux. These utilities are often overlooked by antivirus tools, allowing malicious downloads and execution to occur without raising alarms. Similarly, the abuse of PostgreSQL’s SQL features and event log tampering on Windows show a clear focus on stealth and control.

In-Memory Execution: Avoiding Detection

A common thread is in-memory execution, ensuring minimal footprint on disk. This makes traditional antivirus and EDR solutions less effective. In Linux, miners are downloaded and launched via shell scripts directly into memory. Windows systems see a similar treatment with self-deleting binaries and service disruption tactics.

Sophisticated File Abuse: Polyglots

Koske introduces a new level of stealth using polyglot JPG files — images that double as executable code. This method bypasses many antivirus engines and firewall rules, especially since the files appear as innocent image downloads but contain executable payloads at the end. This isn’t just a technical marvel — it’s a threat actor’s dream.

Indicators of LLM Influence

Koske’s stealthy sophistication and pattern-masking indicate likely LLM involvement in malware development. Code that bypasses detection, adapts on the fly, and creatively embeds itself in file types shows intelligence-assisted code generation.

Impact on Cloud Infrastructure

These campaigns highlight a fundamental risk in modern cloud deployments: misconfiguration and weak credentialing. The use of legitimate services for payload delivery (like Google Sites and vulnerable PostgreSQL commands) reflects attackers’ strategy of hiding in plain sight. Organizations relying solely on perimeter defenses are especially vulnerable.

Economic Intent Meets Technical Sophistication

While the end goal — mining cryptocurrency — might seem simple, the technical road taken is anything but. From rootkits and memory-resident loaders to multi-stage delivery systems, these campaigns reflect industrial-level planning. The ability to mine 18 different currencies suggests the attackers are fine-tuning mining preferences based on system specs, maximizing ROI per infected machine.

✅ Fact Checker Results

Soco404 uses fake 404 HTML pages and Google Sites for delivery – ✅ Confirmed
Koske delivers malware using polyglot JPG files with shellcode – ✅ Verified
Campaigns leverage large language models in their development – ✅ Highly probable based on behavioral analysis

🔮 Prediction

These attacks are just the tip of the iceberg. As cybercriminals grow more sophisticated, expect to see widespread adoption of AI-assisted malware development, increased use of in-memory-only payloads, and further abuse of polyglot files. Security teams must shift focus toward behavioral detection, cloud hardening, and runtime memory monitoring to stay ahead. Also, expect attackers to expand beyond cryptomining into data exfiltration, ransomware, and supply chain attacks using similar stealthy delivery methods.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky