- Two Malware campaigns target cloud systems with cryptocurrency miners.
- Soco404 and Koske attack both Linux and Windows using tailored malware.
- Attackers exploit weak passwords, known software flaws, and misconfigured servers.
- The campaigns use disguised files and fake websites to avoid detection.
- Attackers aim to maximize mining profits by removing competitors and hiding evidence.
Threat researchers reported on July 25, 2025, that two different malware campaigns are currently targeting cloud systems to secretly install cryptocurrency mining software. The groups behind these attacks, identified as Soco404 and Koske, focus on finding and using weak spots in publicly accessible cloud servers and services.
Researchers from Wiz and Aqua explained that Soco404 uses malware that targets both Linux and Windows systems. Soco404 disguises its malicious programs as normal system processes and hides its harmful files on 404 error pages created with Google Sites. Google removed these websites after discovery.
According to Wiz, the attackers have previously targeted poorly secured Apache Tomcat, Apache Struts, and Atlassian Confluence servers. They use automated tools to scan for exposed systems and known vulnerabilities. After breaking in, they exploit features like PostgreSQL’s COPY … FROM PROGRAM SQL command to run code remotely on the server.
On Linux, the malware runs scripts in memory, terminates rival mining programs, and deletes logs to hide its traces. On Windows, a similar loader runs along with a driver that gives the attacker system-level control. The malware also tries to stop logging services and deletes itself to reduce the chance of being spotted. “Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload,” Wiz stated.
The Koske attack mainly focuses on Linux systems. Researchers suspect it was partly created with help from a large language model (LLM). In this scheme, attackers use JPEG images of pandas as containers for hidden malware. These images, called polyglot files, contain both regular image data and a malicious segment at the end. When the server downloads the image, the malware code is extracted and run directly in memory.
A Koske infection starts by exploiting a misconfigured server, such as JupyterLab, and installs rootkits and mining programs. The main aim is to use the server’s resources to mine up to 18 cryptocurrencies, including Monero and Ravencoin. Aqua researcher Assaf Morag described the polyglot technique, saying, “This technique isn’t steganography but rather polyglot file abuse or malicious file embedding.” Learn more in the detailed publication.
Attackers in both campaigns remove traces of their activities, kill competing mining programs, and use creative methods to keep their operations hidden and persistent.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Chainlink Chromion Hackathon Winners Announced, $100K Awarded
- Bitcoin Whale Moves 14,273 BTC ($1.67B) to Exchanges as Price Dips
- OSL Secures $300M in Asia’s Largest Digital Asset Equity Raise
- Aptos (APT) Surges Amid Volatility, Finds Support at $4.59
- Brazil’s Pix Payment System Sparks US Worries Over De-Dollarization
