In “Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload,” Wiz analyzed a campaign exploiting cloud environment vulnerabilities and misconfigurations to deploy cryptominers. Soco404 payloads were embedded in fake 404 HTML pages hosted on websites built using Google Sites. Google has taken down the sites since their reporting.

The researchers identified nine domains as indicators of compromise (IoCs), which WhoisXML API further analyzed. Our deep dive led to these discoveries:

• 1,516 unique client IPs communicated with four IoCs via 18,052 DNS requests made on 15-23 July 2025 based on Internet Abuse Signal Collective (IASC) data
• Two domains were dubbed likely to turn malicious upon registration 65-165 days prior to being reported as IoCs
• 9,459 email-connected domains, one turned out to be malicious
• 17 IP addresses, 15 turned out to be malicious
• One IP-connected domain
• 45 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the Soco404 IoCs

We began our investigation by looking more closely at the nine domains identified as IoCs. We queried them on Bulk WHOIS API and found out that:

• Only eight had current WHOIS records.
• A majority of the eight domains, five to be exact, were created in 2025. One domain each was created in 2017, 2021, and 2024. The oldest domain—moneroocean[.]stream—was created on 11 August 2017, while the newest—fastsoco[.]top—was created on 21 June 2025.

  

• The eight domains were administered by five different registrars led by Namecheap, NameSilo, and Reg.ru, which handled two domains each. One domain each was managed by Dynadot and OnlineNIC.

  

• While two of the eight domains did not have registrant countries on record, the remaining six were registered in three different countries. The U.S. topped the list of registrant countries, accounting for three domains. Two domains were registered in Iceland, while one was registered in Russia.

  

Next, we queried the nine domains identified as IoCs on DNS Chronicle API and discovered that only eight had historical domain-to-IP resolutions. The domain arcticoins[.]com recorded 165 IP resolutions with the oldest posted on 7 July 2017. This was not consistent with the domain’s current WHOIS record creation date—19 February 2025, possibly indicating it was recently reregistered specifically for use in Soco404. Take a look at the historical domain-to-IP resolutions of three other IoCs below.

The DNS traffic data we obtained from IASC also showed that 1,516 unique client IP addresses tied to five unique Autonomous System numbers (ASNs) communicated with four of the domains identified as IoCs via a total of 18,052 DNS requests made on 15-23 July 2025.

In addition, First Watch Malicious Domains Data Feed results revealed that two of the domains—dblikes[.]cyou and seeyoume[.]top—were considered likely to turn malicious 165 and 65 days, respectively, before they were reported as IoCs by Wiz on 23 July 2025.

Expanding the List of Soco404 IoCs

After gathering more information on the nine domains identified as IoCs, we then sought to uncover new artifacts.

First off, we queried the nine domains identified as IoCs on WHOIS History API and found out that four had four email addresses in their historical WHOIS records. Upon further scrutiny, we determined that three were public email addresses.

While none of the three public email addresses appeared in any other domain’s current WHOIS record, they were all present in other domains’ historical WHOIS records. Specifically, they appeared in the historical WHOIS records of 9,459 email-connected domains after duplicates and those already identified as IoCs were filtered out.

A Threat Intelligence API query for the 9,459 email-connected domains revealed that one—kapatoken[.]com—has already figured in malware distribution.

Next, we queried the nine domains identified as IoCs on DNS Lookup API and discovered that six of them actively resolved to 17 unique IP addresses.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.