Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks
Jul 25, 2025
Malware / Cloud Security
Threat hunters have disclosed two different malware campaigns that have targeted vulnerabilities and misconfigurations across cloud environments to deliver cryptocurrency miners. The threat activity clusters have been codenamed Soco404 and Koske by cloud security firms Wiz and Aqua, respectively. Soco404 "targets both Linux and Windows systems, deploying platform-specific malware," Wiz researchers Maor Dokhanian, Shahar Dorfman, and Avigayil Mechtinger said . "They use process masquerading to disguise malicious activity as legitimate system processes." The activity is a reference to the fact that payloads are embedded in fake 404 HTML pages hosted on websites built using Google Sites. The bogus sites have since been taken down by Google. Wiz posited that the campaign, which has been previously observed going after Apache Tomcat services with weak credentials, as well as susceptible Apache Struts and Atlassian Confluence servers using the Sysrv botnet, is p...
