24.07.2025
2 min
536
Developed using artificial intelligence or automated frameworks, the new Linux malware Koske hides in supposedly safe panda images downloaded from legitimate hosting sites. The malware runs directly from memory, creates a rootkit, and mines 18 cryptocurrencies, including Monero and Ravencoin, using the infected device’s CPU and graphics card.
AquaSec analysts discovered that Koske hacks open JupyterLab instances, then downloads two .JPEG files with cute pandas. They look like regular images, but are actually polyglot files that are recognized as images or scripts depending on what they are opened with. Instead of steganography, the attack uses a dual format, where the JPEG file contains both an image and malicious code at the tail of the file.
One file contains C code that is compiled in memory and executed as a .so module of the rootkit, which hides malicious processes and files. The other file contains a bash script that also runs in RAM and creates persistence via cron and systemd services. It changes network settings, blocks DNS changes, resets iptables, bypasses proxies, and runs a brute force check of available proxies.
Once attached to the system, the script evaluates the device’s resources (CPU, GPU), downloads the appropriate miner from GitHub, and runs it in optimal mode. In the event of a pool or coin failure, Koske automatically switches to backup options.
Koske was detected by IP addresses from Serbia, Serbian phrases were found in the scripts, and the repositories on GitHub contained Slovak comments, but researchers were unable to clearly identify the author. The development method, adaptive behavior, automatic cryptocoin selection, and stealth suggest the use of LLM or a sophisticated code generation system. The malware also uses LD_PRELOAD to intercept the readdir() function, hiding all traces of its operation.
Koske is a landmark example of a new generation of malware that disguises itself as harmless files, uses AI, and runs entirely in memory. Its adaptability, stealth, and multi-layered architecture are a challenge for any security system. Future versions are expected to be even more dangerous, with real-time adaptation and self-update.
