Researchers from cybersecurity company AquaSec analyzed Koske and described it as "a sophhisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks. A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory. This type of adaptability and behavior is what led AquaSec researchers to suspect that the threat actor developed the malware either with the help of a LLM or an automation platform. AquaSec underlines that the threat actor did not use steganography to hide the malware inside images but relied on polyglot files, which are valid in multiple formats. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. It also performs network hardening and proxy evasion, overwriting /etc/resolv.conf to use Cloudflare and Google DNS, locking it using the chattr +i command, flushing iptables, resetting proxy variables, and using a custom module to brute-force working proxies via curl, wget, and raw TCP checks. AquaSec warns that while AI-powered malware like Koske is already concerning, future variants may leverage real-time adaptability, evolving into a far more dangerous class of threats. While the panda pics feature valid image headers for the JPEG format, they also include malicious shell scripts and C code at the end, allowing both formats to be interepreted separately. The shell script is executed directly in memory by abusing native Linux utilities, establishing persistence via cron jobs that run every 30 minutes, and custom systemd services. “One payload is C code written directly to memory, compiled, and executed as a shared object .so file that functions as a rootkit,” explains AquaSec. AquaSec identified Serbia-based IP addresses used in the attacks, Serbian phrases in the scripts, and Slovak language in the GitHub repository hosting the miners, but it could make no confident attribution.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 24 Jul 2025 20:55:17 +0000