Beware of Fake Error Pages Deploying Platform-Specific Malware on Linux and Windows Systems

Wiz Research has uncovered an active cryptomining campaign, dubbed Soco404, that exploits misconfigurations in PostgreSQL databases and other cloud services to deploy platform-specific malware on both Linux and Windows systems.

This operation, part of a broader crypto-scam infrastructure, leverages opportunistic scanning for exposed services, abusing features like PostgreSQL’s COPY FROM PROGRAM for remote code execution (MITRE T1190).

Attackers target publicly accessible instances, which Wiz data indicates affect nearly one-third of self-hosted PostgreSQL deployments in cloud environments, representing a high-risk attack surface.

Exploitation of Cloud Misconfigurations

By infiltrating via weak credentials or vulnerabilities such as CVE-2025-24813 in Apache Tomcat, the threat actors host payloads on compromised legitimate servers, including a notable Korean transportation website, to distribute malware while evading detection.

The campaign employs process masquerading (MITRE T1036.005), disguising malicious binaries as legitimate system processes like sd-pam or kernel workers, and ensures persistence through cron jobs (MITRE T1053 ...