A new Linux malware known as Koske is drawing attention for its unconventional approach: it hides within JPEG images of panda bears that appear completely harmless. But behind that adorable appearance lies a real threat that targets the system’s memory directly.
According to recent research, Koske is a fairly sophisticated piece of malware that appears to have been developed with the help of artificial intelligence. Due to its highly adaptive behavior, all signs suggest that its creators may be using advanced language models or automated tools to program and tailor it to different environments.
The primary goal of this malware isn't to steal data directly, but something more silent yet equally damaging: cryptocurrency mining. Once Koske is installed on a Linux system, it begins deploying cryptocurrency miners optimized for both CPU and GPU, using the infected machine’s resources without the user's knowledge.
It’s estimated that it can mine more than 18 different types of cryptocurrencies, which puts significant strain on the hardware and can seriously impact the performance of affected servers.
During analysis, researchers also uncovered curious details that may offer clues about its origin. For instance, IP addresses based in Serbia were detected, along with code fragments containing Serbian phrases and some elements written in Slovak within the GitHub repositories hosting the miners.
However, despite these hints, it’s still not possible to definitively attribute the attack to any specific group.
Behind a cute image, a serious threat may be hiding. That’s the idea behind one of the techniques used by the Koske malware, where the initial entry point of the attack is achieved by exploiting misconfigured JupyterLab instances exposed to the internet. Once inside, the attackers can execute commands directly on the compromised system.
After gaining access, the next step is surprising: they download a couple of JPEG images of panda bears. At first glance, they seem harmless and are hosted on legitimate services like OVH Images, FreeImage, or PostImage. But don’t be fooled—these images come with a hidden payload.
What makes this case particularly interesting is that traditional steganography (the technique of hiding code within an image) wasn't used. Instead, the attackers used what are called polyglot files. These are files that are valid in more than one format, meaning they can behave both as an image and as a script.
In other words, if a user opens the file in an image viewer, they'll just see an adorable panda. But if the same file is processed by a command-line interpreter (like Bash), what gets executed is a hidden malicious script embedded at the end of the file, which includes shell code and fragments written in C.
This technique allows the malware to evade many security solutions, as the file headers are fully valid for JPEG, and only a deep analysis reveals the presence of embedded malicious code.
It’s a clever and rather crafty approach that shows just how far attackers are willing to go to outsmart traditional defenses. And yes, while the pandas may look cute, in this case, they’re doing the dirty work.
Seemingly Harmless Panda Image (Top), File Contents (Bottom) (Source: AquaSec)
Read more: Antivirus for Businesses: Sophos vs ESET, Bitdefender, and Kaspersky
Behind each panda image used in Koske attacks lies not just one, but two payloads that execute in parallel and directly from system memory, without ever touching the disk.
First, there's the initial component: C code that is loaded into memory and compiled on-the-fly as a .so (shared object) file. This file acts as a rootkit—a piece of software designed to hide the malware’s presence from the operating system and any monitoring tools.
It hooks into the system using techniques like LD_PRELOAD, intercepting functions such as readdir() to conceal files, processes, or directories related to the attack. Essentially, if you don't know it's there, it's highly unlikely you'll notice it.
The second component is a shell script that also runs directly in memory, leaving no visible files on the system. This script leverages standard Linux tools and utilities to operate with complete stealth.
Among its key functions is maintaining persistence, by creating scheduled cron tasks that run every 30 minutes and configuring custom services in systemd.
But that's not all. The script also performs a range of adjustments to evade network controls and ensure smooth external communication:
Modifies /etc/resolv.conf to use only public DNS servers like Cloudflare and Google.
Uses chattr +i to protect that file and prevent changes.
Clears iptables rules, effectively disabling the system's firewall.
Deletes or redefines proxy environment variables, and enforces new configurations using tools like curl, wget, and custom TCP scans.
All this logic is designed to keep the malware running, communicating without interference, and staying under the radar. This level of sophisticated adaptation is one of the reasons researchers suspect its development may have involved advanced language models or automation platforms capable of generating custom code for each environment.
Once Koske has taken control of the system and established its foothold, the shell script downloads cryptocurrency miners directly from GitHub repositories. These miners begin to use system resources (both CPU and GPU) to generate cryptocurrencies, degrading overall performance and, of course, enriching the attackers.
In short, Koske is much more than just malware—it's a full-fledged toolkit designed to infiltrate, remain hidden, bypass security measures, and exploit system resources with remarkable efficiency. All while the user sees nothing more than an image of a panda bear.
Full Attack Chain (Source: AquaSec)
Read more: Lumma Infostealer Malware Returns After Police Crackdown
Before getting to work, the Koske malware carefully analyzes the resources of the infected system. It evaluates both the available CPU and GPU to decide which type of miner is best to deploy. In other words, it chooses the right tool to maximize system performance without wasting power.
Koske supports mining at least 18 different cryptocurrencies, many of which are designed to be difficult to trace. Some of the coins in its repertoire include Monero, Ravencoin, Zano, Nexa, and Tari—all known for their focus on privacy and anonymity.
What’s most concerning is that if the malware detects that any of these coins or their mining pools are offline or unavailable, it automatically switches to another backup option within its internal configuration. This reveals a high level of automation, intelligence, and adaptability that makes it much harder to stop.
And while the current version of Koske already poses a serious threat, this might just be the beginning. As attackers integrate real-time artificial intelligence capabilities, we could be facing a new generation of malware that is far more autonomous, unpredictable, and dangerous.