Redazione RHC : 26 July 2025 16:32
AquaSec analysts have discovered a new Linux malware. The malware is called Koske and is believed to have been developed using artificial intelligence. It uses panda JPEG images to inject itself directly into memory. Researchers describe Koske as a “sophisticated Linux threat” whose adaptive behavior suggests that the malware is developed using large language models (LLMs) or automation frameworks.
Koske’s main goal is to implement CPU- and GPU-optimized miners that use the host’s processing resources to mine various cryptocurrencies. Since studying the malware revealed Serbian IP addresses and phrases in the scripts, as well as the Slovak language in the GitHub repository where the miners were located, experts were unable to establish an exact attribution.
Attackers gain access Initially exploiting incorrect JupyterLab configurations that allow commands to be executed. Then, they upload two panda images in .JPEG format to the victim’s system, which are stored on legitimate services such as OVH Images, FreeImage, and PostImage. These images contain the malicious payload.
It’s important to note that hackers do not use steganography to hide malware. within images. Instead, they rely on polyglot files, which can be read and interpreted in different formats. In Koske attacks, the same file can be interpreted as either an image or a script, depending on the application opening or processing it.
Pandas images contain not only the image itself, with the correct headers for JPEG format, but also malicious shell scripts and code written in C, which allow both formats to be interpreted separately. In other words, when opening such a file, the user will only see a cute panda, but the script interpreter will execute the code added to the end of the file.
The researchers write that each image contains a payload, and both are launched in parallel. “A payload is C code that is written directly into memory, compiled, and executed as a shared object (.so file), and functions like a rootkit,” the experts explain. “The second payload is a shell script that also runs from memory. It uses standard Linux system utilities to remain invisible and persistent, leaving a minimal trace.”
The script also ensures connection stability and bypasses network restrictions: it rewrites /etc/resolv.conf to use Cloudflare and Google DNS, and protects this file with chattr +i. The malware also resets iptables rules, deletes proxy-related system variables, and runs a custom module to force the startup of working proxies via curl, wget, and direct TCP requests.
It is precisely this adaptability and behavior that researchers suggest the malware may have been developed using LLM or automation platforms. Before deploying to the victim’s computer, the malware evaluates the host’s capabilities (CPU and GPU) to select the most suitable miner: Koske supports mining 18 different cryptocurrencies, including Monero, Ravencoin, Zano, Nexa, and Tari.
If a currency or pool is unavailable, the malware automatically switches to a backup option from its internal list, which also indicates a high degree of automation and flexibility.
Redazione