A new wave of cryptojacking attacks is exploiting the humble 404 error page to sneak malicious binaries past defenders Dubbed “Soco404,” the campaign embeds base64-encoded payloads inside seemingly innocuous error screens hosted on Google Sites and compromised Tomcat servers, then detonates them on both Linux and Windows hosts. Windows hosts follow a parallel path: certutil, Invoke-WebRequest, or curl drops ok.exe into C:\Users\Public\, spawns conhost.exe, injects the main miner, and silently deletes the original file after a three-second choice delay. Both branches chatter over local sockets for resilience and keep watchdog threads ready to respawn if killed, ensuring the fake error page keeps harvesting coins long after the 404 message fades from view. Each branch of the malware family disguises itself as legitimate processes—sd-pam, kworker/R-rcu_p, or random eight-character Windows services—while scheduling cron jobs and shell-init hooks or disabling Windows Event Log to persist undetected. The script generates a random filename, kills competing miners, wipes /var/log/wtmp, and, if running as root, enables hugepages and tweaks model-specific registers for Ryzen or Intel CPUs to squeeze every hash from the silicon. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Jul 2025 12:35:15 +0000