28

A sophisticated Linux malware called Koske, discovered in July 2025, hides malicious code within innocent-looking panda bear JPEG images to deploy cryptocurrency miners and establish persistent system access[^1]. Security researchers at AquaSec believe Koske was developed using artificial intelligence, based on its adaptive behaviors and code structure[^2].

The malware exploits misconfigured JupyterLab instances to gain initial access, then downloads two panda images containing separate payloads - a C-based rootkit and a shell script[^3]. Rather than using steganography, Koske employs polyglot files that function as both valid images and executable scripts[^1].

Once executed, the malware:

  • Deploys CPU and GPU-optimized miners for 18 different cryptocurrencies
  • Establishes persistence through cron jobs and systemd services
  • Uses LD_PRELOAD to hide malicious processes and files
  • Manipulates DNS settings and network configurations
  • Automatically switches mining pools if one becomes unavailable[^1]

"Impersonation and psychological warfare will be a big thing in the coming years," warns Rem Dudas from Palo Alto Networks, noting how AI enables malware to mimic other threat actors' techniques[^4].

[^1]: BleepingComputer - New Koske Linux malware hides in cute panda images

[^2]: The420 - How Is A "Panda" Becoming a Persistent Threat?

[^3]: Securitricks - AI-Generated Malware in Panda Image Hides Persistent Linux Threat

[^4]: BetaNews - Hackers are using AI and panda images to infect Linux machines

you are viewing a single comment's thread
view the rest of the comments
[-] AmbitiousProcess@piefed.social 4 points 6 days ago

Not whatsoever.

Practically any mining software would allow you to change a pool whenever you felt like it, and making a script that just goes "oh, x.x.x.x isn't responding anymore, I should point my hashrate to y.y.y.y now" is... not hard, to say the least.

this post was submitted on 25 Jul 2025
28 points (100.0% liked)

cybersecurity

4701 readers
3 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 2 years ago
MODERATORS