Analysts from AquaSec discovered new malware for Linux. The malware, named Koske, is believed to have been developed using AI. To execute directly into memory, the malware uses JPEG images of pandas.
Researchers describe Koske as a “sophisticated Linux threat,” whose adaptive behavior suggests that the malware is being developed using large language models (LLMs) or automation frameworks.
The main goal of Koske is to deploy CPU- and GPU-optimized miners that utilize the host’s computing resources to mine various cryptocurrencies.
As Serbian IP addresses and phrases were discovered in the scripts during the study of the malware, along with the Slovak language in the GitHub repository where the miners were hosted, experts were unable to determine a precise attribution.
Initial access is gained by attackers exploiting misconfigurations in JupyterLab, which allow for command execution. After this, the attackers download two .JPEG images of pandas into the victim’s system, hosted on legitimate services such as OVH images, freeimage, and postimage. The malicious payload is hidden within these images.
It is emphasized that the hackers do not use steganography to hide malware inside the images. Instead, they rely on polyglot files, which can be read and interpreted as several different formats. In Koske attacks, the same file can be interpreted as an image or a script, depending on the application that opens or processes it.
Images of pandas contain not only the picture itself, with correct JPEG format headers, but also malicious shell scripts and code written in C, allowing for both formats to be interpreted separately. That is, when opening such a file, the user will only see a cute panda, while the script interpreter will execute the code added at the end of the file.
Researchers report that each image hides one payload, with both being executed in parallel.
“One payload consists of C code, which is directly written into memory, compiled, and executed as a shared object (.so file), functioning as a rootkit,” explain the experts. “The second payload is a shell script, which is also executed from memory. It uses standard Linux system utilities for stealth and persistence, leaving minimal traces.”
The script also ensures connection stability and bypasses network restrictions: it rewrites /etc/resolv.conf to use DNS from Cloudflare and Google, and protects this file with chattr +i. Additionally, the malware resets iptables rules, clears system variables related to proxies, and runs a custom module for brute-forcing working proxies using curl, wget, and direct TCP requests.
Due to this adaptability and behavior, researchers suggest that the malware may have been developed either with the help of large language models (LLM) or using automation platforms.
Before deploying on the victim’s machine, the malware assesses the host’s capabilities (CPU and GPU) to select the most suitable miner: Koske supports mining 18 different cryptocurrencies, including Monero, Ravencoin, Zano, Nexa, and Tari.
If a certain currency or pool becomes unavailable, the malware automatically switches to a backup option from an internal list, which also indicates a high degree of automation and flexibility.
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →