BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Soco404, Koske Malware Exploits Cloud Flaws for Crypto Mining

Cloud Malware Campaigns Exploit Server Weaknesses to Install Cryptocurrency Miners Across Linux and Windows Systems

  • Two Malware campaigns target cloud systems with cryptocurrency miners.
  • Soco404 and Koske attack both Linux and Windows using tailored malware.
  • Attackers exploit weak passwords, known software flaws, and misconfigured servers.
  • The campaigns use disguised files and fake websites to avoid detection.
  • Attackers aim to maximize mining profits by removing competitors and hiding evidence.

Threat researchers reported on July 25, 2025, that two different malware campaigns are currently targeting cloud systems to secretly install cryptocurrency mining software. The groups behind these attacks, identified as Soco404 and Koske, focus on finding and using weak spots in publicly accessible cloud servers and services.

- Advertisement -

Researchers from Wiz and Aqua explained that Soco404 uses malware that targets both Linux and Windows systems. Soco404 disguises its malicious programs as normal system processes and hides its harmful files on 404 error pages created with Google Sites. Google removed these websites after discovery.

According to Wiz, the attackers have previously targeted poorly secured Apache Tomcat, Apache Struts, and Atlassian Confluence servers. They use automated tools to scan for exposed systems and known vulnerabilities. After breaking in, they exploit features like PostgreSQL’s COPY … FROM PROGRAM SQL command to run code remotely on the server.

On Linux, the malware runs scripts in memory, terminates rival mining programs, and deletes logs to hide its traces. On Windows, a similar loader runs along with a driver that gives the attacker system-level control. The malware also tries to stop logging services and deletes itself to reduce the chance of being spotted. “Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload,” Wiz stated.

The Koske attack mainly focuses on Linux systems. Researchers suspect it was partly created with help from a large language model (LLM). In this scheme, attackers use JPEG images of pandas as containers for hidden malware. These images, called polyglot files, contain both regular image data and a malicious segment at the end. When the server downloads the image, the malware code is extracted and run directly in memory.

- Advertisement -

A Koske infection starts by exploiting a misconfigured server, such as JupyterLab, and installs rootkits and mining programs. The main aim is to use the server’s resources to mine up to 18 cryptocurrencies, including Monero and Ravencoin. Aqua researcher Assaf Morag described the polyglot technique, saying, “This technique isn’t steganography but rather polyglot file abuse or malicious file embedding.” Learn more in the detailed publication.

Attackers in both campaigns remove traces of their activities, kill competing mining programs, and use creative methods to keep their operations hidden and persistent.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

FatFs Flaws Let Malicious Media Hijack Millions of Devices

Seven vulnerabilities (CVE-2026-6682 to CVE-2026- 6688) were found in the widely used FatFs filesystem library,...

Saylor Rage-Quits Channel 4 Over Bitcoin Grilling

Michael Saylor ended a Channel 4 interview by accusing the reporter of being offensive...

Linux ‘Bad Epoll’ Bug Grants Any User Root Access

A critical Linux kernel flaw, Bad Epoll (CVE-2026-46242), allows a standard user to gain...

Crypto Bill Fails to Meet White House July 4 Deadline

The White House will miss its July 4 deadline for passing a cryptocurrency market...

Alphabet Undervalued Despite Record Growth, AI Push

Alphabet (GOOGL) stock is deemed undervalued despite record revenue and strong AI positioning, trading...

Must Read

The Best Bitcoin Casinos of 2025: An Expert’s Data-Driven Guide

Key TakeawaysA Deep Dive into the Top Bitcoin Casinos of 2025Bitcoin Casino Comparison Table1. Stake.com: Best for Variety & Integrated Sports Betting2. BC.Game: Best...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading