New Koske Linux malware hides in cute panda images

A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory.

Researchers from cybersecurity company AquaSec analyzed Koske and described it as “a sophhisticated Linux threat.” Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks.

Koske’s purpose is to deploy CPU and GPU-optimized cryptocurrency miners that use the host’s computational resources to mine over 18 distinct coins.

AquaSec identified Serbia-based IP addresses used in the attacks, Serbian phrases in the scripts, and Slovak language in the GitHub repository hosting the miners, but it could make no confident attribution.

Pandas attack

Initial access is achieved by leveraging misconfigurations of JupyterLab instances exposed online to achieve command execution.

After gaining a foothold, the attacker downloads two .JPEG images of panda bears hosted on legitimate services like OVH images, freeimage, and postimage. However, the pictures hide malicious payloads.

AquaSec underlines that the threat actor did not use steganography to hide the malware inside images but relied on polyglot files, which are valid in multiple formats.

In Koske attacks, the same file can be interpreted as both an image and a script, depending on the application that opens or processes it.

While the panda pics feature valid image headers for the JPEG format, they also include malicious shell scripts and C code at the end, allowing both formats to be interepreted separately.

A user opening them will see a cute panda bear but a script interpreter will execute the shell code appended at the end of the file.

The attacks AquaSec discovered hide one payload in each image, both launched in parallel.

“One payload is C code written directly to memory, compiled, and executed as a shared object .so file that functions as a rootkit,” explains AquaSec.

“The second is a shell script, also executed from memory, which uses standard system utilities to run stealthily and maintain persistence while leaving few visible traces.”

The shell script is executed directly in memory by abusing native Linux utilities, establishing persistence via cron jobs that run every 30 minutes, and custom systemd services.

It also performs network hardening and proxy evasion, overwriting /etc/resolv.conf to use Cloudflare and Google DNS, locking it using the chattr +i command, flushing iptables, resetting proxy variables, and using a custom module to brute-force working proxies via curl, wget, and raw TCP checks.

This type of adaptability and behavior is what led AquaSec researchers to suspect that the threat actor developed the malware either with the help of a LLM or an automation platform.

The C-based rootkit is compiled in memory and uses LD_PRELOAD to override the readdir() function, hiding malware-related processes, files, and directories from user-space monitoring tools.

The rootkit filters entries based on strings like koske, hideproc, or by reading hidden PIDs from /dev/shm/.hiddenpid.

After establishing network access and setting up persistence, the shell script downloads cryptominers from GitHub.

Before deployment, the host’s CPU and GPU are evaluated to determine which miner would be the most efficient choice.

Koske supports mining for 18 different coins, including the hard-to-trace Monero, Ravencoin, Zano, Nexa, and Tari.

If a coin or mining pool becomes unavailable, the malware automatically switches to a backup from its internal list, indicating a high degree of automation and adaptability.

AquaSec warns that while AI-powered malware like Koske is already concerning, future variants may leverage real-time adaptability, evolving into a far more dangerous class of threats.