A new malware strain named ‘Koske’ is delivering crypto-mining payloads through dropper files posing as benign panda pictures.
According to Aqua Nautilus, the cybersecurity team at Aqua Security, the malware likely uses AI-assistance as its code appears shaped by large language models (LLMs).
“Koske, a sophisticated Linux threat, shows clear signs of AI-assisted development, like with help from a large language model,” Aqua researcher Assaf Morag wrote in a blog post. “It represents a new breed of persistent and adaptable malware built for one purpose: cryptomining.”
The AI-assisted malware features advanced capabilities, including modular payloads, evasive rootkits, and delivery through weaponized image files.
Initial access and delivery via panda images
The campaign begins with attackers exploiting a misconfigured JupyterLab instance, allowing them to download two images from a shortened URL. These files are polyglot JPEGs, essentially regular pictures with appended payloads.
“The initial access is achieved by exploitation of a misconfigured JupyterLab instance from a Serbian IP address 178.220.112.53 origin,” Morag said. Aqua’s research did not cite a specific CVE or configuration flaw, noting that the focus is primarily on post-exploitation behavior and payload delivery.
Morag told CSO that misconfigurations involved unauthenticated JupyterLab instances exposed to the internet, a common but risky practice. He added that weak passwords and known RCE vulnerabilities also contribute to such compromises. “At the end of the day, we are trying to figure out what the attackers do post-intrusion and not how they got in because they always find ways to get in,” he said.
One such entry point may have been CVE-2025-30370, a recently disclosed high-severity vulnerability in the JupyterLab-git extension that allows command injection. Such a flaw can allow attackers the initial foothold needed to execute the AI-generated payloads hidden within the panda images.
When executed, the Panda images extract and execute malicious C code and shell scripts in-memory, bypassing traditional antivirus tools and remaining undetected on disk.
“Only the last bytes are downloaded and executed, making it a sneaky form of polyglot abuse,” Morag added. “It’s a dual-use file that evades detection by blending image data with executable payloads. The initial X bytes are the image itself, while the last part of the file is a shell code aimed to be executed after the main payload is delivered to the targeted system.”
Modular payload for stealth and persistence
Koske employs multiple tactics to stay hidden and persistent. It hijacks hidden configuration files used by the Bash shell to execute a custom system script that maintains communication with the command-and-control (C2) infrastructure for persistence.
Additionally, the rootkit, written in C, hijacks readdir(), a system call for reading directory content, to conceal processes and files named “Koske” or “hideproc.”
The malware registers itself as a background service, sets up recurring scheduled tasks, and evades detection by concealing its processes from standard monitoring tools. Its adaptive logic, including proxy-checking routines, an intelligent selection among 18 cryptocurrency miners, and fallback behaviors, is likely a borrowed AI function, Morag noted in the blog.
Aqua recommended monitoring unauthorized bash modifications, unexpected DNS rewrites, and using runtime protection telemetry to spot anomalous shell behavior. Additionally, blocking execution of polyglot file payloads and hidden rootkits (with drift prevention) was advised. The blog shared a few indicators of compromise (IOCs), including IP addresses, URLs, and filenames used in the attacks.
No Responses