Koske, a new AI-Generated Linux malware appears in the threat landscape
Koske, a new AI-Generated Linux malware appears in the threat landscape
July 25, 2025
Koske is a new Linux malware designed for cryptomining, likely developed with the help of artificial intelligence.
Koske is a new Linux AI-generated malware that was developed for cryptomining activities. Aquasec researchers reported that the malicious code uses rootkits and polyglot image file abuse to evade detection.
Attackers exploit a misconfigured server to drop backdoors and download two JPEG polyglot files via shortened URLs. The images are polyglot files that hide malicious code appended at the end and execute directly in memory to evade antivirus detection. One is C code compiled into a rootkit .so file; the other is a stealthy shell script using standard system tools to persist without leaving visible traces.
“Main and secondary payloads are delivered via dual-use image files. The threat actors append malicious shell scripts to legitimate image files (e.g., panda bear pictures), which are hidden inside images and kept on legitimate and free image storage platforms (freeimage, postimage and OVH images).” reads the report published by Aquasec. “This technique isn’t steganography but rather polyglot file abuse or malicious file embedding. This technique uses a valid JPG file with malicious shellcode hidden at the end. Only the last bytes are downloaded and executed, making it a sneaky form of polyglot abuse. It’s a dual-use file that evades detection by blending image data with executable payloads. As you can see in image below, the initial X bytes are the image itself, while the last part of the file is a shell code aimed to be executed after the main payload is delivered to the targeted system.”
Attackers gained access via a misconfigured JupyterLab instance, then ensured persistence by hijacking shell configs and boot processes to run stealthy scripts.
Koske shows AI-like behavior in its connectivity module, using multiple methods to test GitHub access, fixing issues by resetting DNS and proxies, and dynamically brute-forcing working proxies. This adaptive, automated strategy suggests AI-assisted development.
“Several script components suggest LLM involvement:
- Verbose, well-structured comments and modularity
- Best-practice logic flow with defensive scripting habits
- Obfuscated authorship using Serbian phrases and neutralized syntax
Such code may have been designed to appear “generic”, frustrating attribution and analysis.” continues the report.
Koske malware supports mining 18 cryptocurrencies, selecting CPU- or GPU-optimized miners based on the hardware of the infected host. It automatically switches coins or pools if one fails, targeting assets like Monero, Ravencoin, Zano, Nexa, and Tari.
AquaSec found Serbian IPs, Serbian script phrases, and Slovak language in the miners’ GitHub repo, but couldn’t confidently attribute the attacks.
“While using AI to generate better code already poses a challenge for defenders, it’s only the beginning. The real game-changer is AI-powered malware, which is malicious software that dynamically interacts with AI models to adapt its behavior in real-time.” concludes the report. “This kind of capability could mark a meteoric leap in adversaries’ tactics, putting countless systems at serious risk.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Koske malware)
