Cloud Cryptominers Evolve: Koske & Soco404 Use Stealthy Tactics, AI-Generated Malware & Image Payloads
Researchers have uncovered two parallel malicious campaigns targeting vulnerable and misconfigured components of cloud infrastructure. Both operations involve the deployment of cryptominers and are attributed to groups designated as Soco404 and Koske—whose activities have been meticulously analyzed by teams from Wiz and Aqua Security.
Soco404 demonstrates a high degree of adaptability: attackers target both Linux and Windows systems, deploying platform-specific malware. According to Wiz analysts Maor Dahan, Shahar Dorfman, and Avigail Mechtinger, the malicious payloads masquerade as legitimate operating system processes, carefully mimicking normal activity. Particularly notable is their delivery method—fake 404 error pages hosted on Google Sites that secretly embed executable components. These resources were subsequently taken down following reports from the researchers.
Historically, Soco404 exploited vectors such as Apache Tomcat compromises, as well as vulnerabilities in Apache Struts and Atlassian Confluence, leveraging the Sysrv botnet. In the current wave of attacks, the focus has shifted toward exposed PostgreSQL instances. Previously compromised Apache Tomcat installations are now repurposed to host malware loaders compiled for both operating systems. Among the exploited hosts was a South Korean logistics firm’s website, temporarily used as an intermediary server for malware delivery.
Upon gaining access to PostgreSQL, the attackers employ the SQL command COPY ... FROM PROGRAM, enabling arbitrary shell command execution directly on the target machine. This facilitates deployment of an in-memory loader script that not only injects the malicious binary but also terminates competing miners and erases traces from cron and wtmp logs—hindering forensic analysis.
Regardless of platform, the malware reaches out to the domain www.fastsoco[.]top, hosted via Google Sites. On Windows systems, it further downloads the WinRing0.sys driver to escalate privileges to NT\SYSTEM, disables event logging services, and cleans up after itself to evade detection.
Wiz analysts emphasize the attackers’ versatile toolkit, which spans standard Linux utilities (such as wget and curl) and native Windows tools (certutil, PowerShell). This cross-platform adaptability and automation make the Soco404 campaign a formidable example of persistent, large-scale cryptomining operations.
Meanwhile, Aqua Labs has identified a concurrent campaign dubbed Koske, specifically targeting Linux servers. Its hallmark is an unusual infection vector: attacks begin by compromising JupyterLab instances, after which the malware is delivered through JPEG images embedded with executable code. These polyglot files retain a valid visual front, while the payload resides in the file’s tail—evading traditional signature-based antivirus detection.
Each image contains two components: a C library that implements a rootkit via LD_PRELOAD to conceal processes and files, and a shell script that downloads and launches the miner. The entire payload is executed in memory, leaving no trace on disk, which significantly complicates detection. The goal is to install miners capable of handling up to 18 different cryptocurrencies, including Monero, Ravencoin, Zano, Nexa, and Tari—optimized for both CPU and GPU performance.
Aqua researcher Assaf Moraz notes the high degree of automation in Koske’s tooling and suggests that generative AI models may have been employed during development. The campaign is distinguished by its systematic execution and clean codebase, marking one of the earliest and most effective uses of polyglot media containers in attacks on cloud infrastructure.
Both campaigns—Soco404 and Koske—underscore the immense risks posed by vulnerable or poorly secured cloud services. Administrators are urged to rigorously audit configurations, restrict public exposure of critical endpoints, and maintain up-to-date software. Special attention should be paid to PostgreSQL and JupyterLab platforms, which often remain exposed post-deployment.
Soco404 highlights the importance of implementing rollback protection and integrity verification mechanisms, while Koske illustrates the need for filtering media files and expanding analysis capabilities for atypical file formats. Both campaigns send a clear message: securing cloud and DevOps infrastructure demands vigilant, continuous engagement.
