Koske Malware: AI-Generated Cryptojacker Hides in Panda Images to Infect Linux Servers

Aqua Security’s Nautilus research team has uncovered a malware campaign. Dubbed Koske, this advanced Linux malware shows strong indicators of being partially crafted by artificial intelligence, possibly with the help of large language models (LLMs), and designed with modular payloads, stealthy rootkits, and dynamic adaptability.

The infection chain begins with the exploitation of a misconfigured JupyterLab instance, reportedly accessed from a Serbian IP address (178.220.112.53). From there, Koske downloads two JPEG polyglot files—legitimate images with appended shellcode payloads.

These dual-use files aren’t steganographic in the traditional sense but rather abuse polyglot techniques:

“This technique uses a valid JPG file with malicious shellcode hidden at the end… making it a sneaky form of polyglot abuse.”

Once delivered, the malware executes directly from memory, bypassing disk-based antivirus detection.

Koske’s resilience is engineered through multiple layers of persistence:

• Shell Configuration Hijacking: Modifies .bashrc and .bash_logout to ensure continued communication with C2 infrastructure.
• Boot Persistence: Edits /etc/rc.local and binds to a custom systemd service for automatic execution at startup.
• Scheduled Cron Jobs: Runs every 30 minutes and at reboot to reestablish infection.
• Custom Services: A dedicated shellkoske.service manages payload download and execution.

The malware’s secondary payload is particularly devious — a rootkit hidden inside an image of a panda bear. Using LD_PRELOAD, the rootkit hijacks the readdir() function to hide specific files, processes, and directories:

“The hidden elements include any entry containing the strings koske, hideproc, or hideproc.so… effectively making them invisible to the system user.”

Combined with storage in /dev/shm and targeting the /proc filesystem, this makes forensic analysis extremely difficult.

Koske takes aggressive steps to ensure network connectivity:

• Flushes iptables rules
• Resets proxy environment variables
• Locks DNS configuration using chattr +i to enforce Cloudflare and Google DNS

Its connectivity module, get_working_proxy, checks access to GitHub via curl, wget, and raw TCP, then remediates if needed. It even brute-forces proxy discovery using GitHub-hosted proxy lists.

Koske isn’t mining a single coin—it’s built for diversity:

• Supports 18 different cryptocurrencies
• Detects CPU and GPU specs to deploy optimized miners
• Automatically switches to different coins or mining pools based on success rates

It even downloads ccminer binaries from a GitHub account (vozstanica, meaning “train station” in Slovak) created solely for cryptomining infrastructure.

The report flags indicators of AI-generated code, including:

• Best-practice modularity and defensive scripting logic
• Obfuscated authorship using Serbian phrases
• Generic, comment-rich structures designed to frustrate attribution

“AI-washed code neutralizes linguistic and structural fingerprints and may even help to display the code as a specific group wrote it,” the report states.

While defenders are turning to AI for detection, this case shows adversaries are doing the same—for creation.

Related Posts:

• 35 Million Devices Vulnerable: Matrix DDoS Campaign Highlights Growing IoT Threat
• PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media
• Panda Shop Smishing Syndicate: China-Backed Cybercrime-as-a-Service Hits Millions Globally
• New Attack Vector: Misconfigured Jupyter Servers Targeted for Illegal Streaming
• China-Linked Mustang Panda Targets Vietnamese Entities in Cyber Espionage Campaign