Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Koske Malware Hides in Panda Images

July 25, 2025
Reading Time: 3 mins read
in Alerts
Infostealer Hidden in Steam Game

A sophisticated Linux malware, dubbed Koske, is raising alarms in the cybersecurity community due to its advanced techniques and the strong possibility of its development using artificial intelligence. Researchers from AquaSec describe it as a significant threat that leverages seemingly benign JPEG images of panda bears to deploy malicious payloads. The malware’s ultimate goal is to hijack a system’s computational power to mine over 18 different cryptocurrencies, showcasing a high degree of automation and adaptability that points toward the use of large language models (LLMs) or other automation frameworks in its creation.

Koske gains initial access by exploiting misconfigured JupyterLab instances that are exposed to the internet. Once inside, the attacker uses a clever technique involving polyglot files. It downloads two .JPEG images of pandas which are, in fact, valid image files that a user could open and view normally. However, appended to the image data is malicious shell script and C code. Unlike steganography, where data is hidden within an image, these files are valid as both JPEGs and executable scripts, allowing them to be interpreted differently depending on the application that opens them. This method allows the malware to be hosted on legitimate image services, evading simple detection.

Upon execution by a script interpreter, the two panda “images” launch their payloads in parallel directly into the system’s memory, a technique that minimizes traces on the disk.

One payload is a C-based rootkit that is compiled and executed in memory, while the second is a shell script. The rootkit uses the LD_PRELOAD technique to hide malware-related processes and files from monitoring tools. Meanwhile, the shell script establishes persistence through cron jobs and custom systemd services, hardens the network by overwriting DNS settings to use Cloudflare and Google, and actively finds working proxies to maintain its connection.

After establishing a persistent and stealthy presence, Koske’s primary function begins. The shell script evaluates the infected host’s CPU and GPU to determine the most efficient cryptocurrency miner to deploy from a selection hosted on GitHub. This intelligent profiling allows it to maximize its mining output. The malware is equipped to mine 18 different cryptocurrencies, including privacy-focused coins like Monero, Ravencoin, and Zano. Furthermore, if a mining pool or a specific coin becomes unavailable, Koske automatically switches to a backup, demonstrating a high level of autonomous operation.

The adaptive behavior, complex evasion techniques, and automated decision-making observed in Koske are what led researchers to suspect AI involvement in its development. While attribution is difficult—with clues pointing to Serbian and Slovak origins—the focus remains on the malware’s capabilities. AquaSec warns that Koske is likely just the beginning. Future malware variants could leverage real-time adaptability powered by AI, allowing them to evolve their tactics dynamically in response to defenses, heralding a new and far more dangerous class of cyber threats.

Reference:

  • New Koske Linux Malware Uses Innocent-Looking Panda Images to Evade Detection and Spread
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJuly 2025
ADVERTISEMENT

Related Posts

GenAI Used by Hackers for Phishing

GenAI Used by Hackers for Phishing

August 21, 2025
GenAI Used by Hackers for Phishing

QuirkyLoader Spreads RATs, Keyloggers

August 21, 2025
GenAI Used by Hackers for Phishing

Malicious Chrome VPN Steals Data

August 21, 2025
Mozilla Security Advisory AV25-529

RingReaper Malware Hits Linux Servers

August 20, 2025
Mozilla Security Advisory AV25-529

Mozilla Security Advisory AV25-529

August 20, 2025
Mozilla Security Advisory AV25-529

Microsoft Issues Windows Fix Update

August 20, 2025

Latest Alerts

QuirkyLoader Spreads RATs, Keyloggers

GenAI Used by Hackers for Phishing

Malicious Chrome VPN Steals Data

RingReaper Malware Hits Linux Servers

Mozilla Security Advisory AV25-529

Microsoft Issues Windows Fix Update

Subscribe to our newsletter

    Latest Incidents

    Comet AI Browser Duped by Fake Shops

    China Briefly Cuts Off Global Internet

    Orange Belgium Data Breach Hits 850K

    NY Business Council Data Breach Hits 47K

    Ransomware Gang Hacks Inotiv Firm

    Intel Employee Data Exposure Flaw

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial