A new iteration of a broad cryptomining campaign, dubbed Soco404, has been identified. The attackers exploit vulnerabilities in cloud environments, particularly targeting PostgreSQL misconfigurations, to deploy cryptominers on both Linux and Windows systems. They use process masquerading, achieve persistence via cron jobs and shell initialization files, and rely on compromised legitimate servers for malware hosting. The malware communicates via local sockets and embeds payloads in fake 404 HTML pages on Google Sites. The campaign is part of a larger crypto-scam infrastructure, demonstrating a versatile and opportunistic operation. The attackers use multiple ingress tools and target various entry points, showing a flexible approach to maximize reach and persistence across diverse targets.