🐼 New Linux Malware “Koske” Hides in Cute Panda Images — A Deep Technical Breakdown

Published on: July 26, 2025

By: CyberDudeBivash Editorial Team

Category: Malware Analysis • AI‑Generated Threats • Cloud Native Security

🔎 Overview: Malware Masquerading as Panda Pictures

Researchers from Aqua Security’s Nautilus team have uncovered a novel Linux malware strain—Koske—that delivers AI-designed cryptominers and rootkits hidden within innocent-looking panda JPEG images. The malware exploits polyglot file abuse, executing shell scripts and C code appended to images entirely in memory—evading traditional antivirus and disk-based detection.(turn0search0, turn0search3, turn0search2)

🛠 Technical Attack Chain

1. 🧩 Initial Compromise via JupyterLab Misconfiguration

The attackers gain remote code execution through unsecured JupyterLab instances. Once inside, they download two panda JPEG files hosted on legitimate image platforms (e.g. OVH, Postimage, FreeImage). These files are polyglot files—valid JPEGs with malicious code tacked onto the end.(turn0search0, turn0search3)

2. 🧠 In-Memory Code Execution

These images are processed in memory:

• Shell script payload: Maintains persistence via edits to .bashrc, .bash_logout, /etc/rc.local, systemd service units, and cron jobs running every 30 minutes or at reboot.
• C rootkit payload: Compiled and executed in-memory as a shared object (.so), it uses LD_PRELOAD to intercept readdir() and hide processes, files, and directories containing strings like “koske” or “hideproc”.(turn0search0, turn0search3)

3. 🔐 Stealth and Network Control

Koske hardens itself by:

• Resetting DNS /etc/resolv.conf to use Google/Cloudflare resolvers and locking it with chattr +i
• Flushing iptables, resetting proxy variables, and brute-forcing working proxy connectivity using embedded modules
• Running in shared memory (/dev/shm), minimizing disk footprint.(turn0search3)

4. 💰 Adaptive Crypto‑Mining

Koske evaluates host capabilities (CPU/GPU) and selects from 18 cryptocurrencies (including Monero, Ravencoin, Nexa, Tari), deploying optimized miners accordingly. If a pool fails, it automatically switches to an alternative option without human intervention.(turn0search3, turn0search9)

5. 🧠 Evidence of AI-Assisted Development

AquaSec notes hallmarks of LLM use: modular well-documented code, clean error-handling logic, adaptive proxy troubleshooting, and multilingual script comments (Serbian / Slovak) designed to confuse attribution.(turn0search0, turn0search7, turn0search3)

🌐 Why It Matters

• Memory-only execution using polyglot files bypasses antivirus and typical file scanning.
• Rootkit-based stealth via LD_PRELOAD hides activity from standard tools.
• Automated cryptomining drains cloud resources, drives costs, and degrades performance.
• AI-influenced design reduces human error and fingerprints, accelerating attacker sophistication.

🛡️ Defense Recommendations

✅ Harden Public-Facing Jupyter Instances

• Require authentication and patch known JupyterLab RCE vulnerabilities.
• Restrict notebook server exposure to internal or VPN-only networks.

✅ Block Execution of Polyglot-Style Deliveries

• Disallow execution of JPEGs from untrusted sources or mount /tmp and upload directories as no‑exec.
• Reject attachments with embedded shell shebangs or appended scripts.

✅ Monitor for Persistence Artefacts

• Alert on modifications to .bashrc, /etc/rc.local, new systemd services, or regular cron jobs from unexpected users.

✅ Detect Kernel-Level Evasion

• Monitor LD_PRELOAD use, unusual system services, and hidden directories or processes.
• Use runtime anomaly detection tools (Falco, Aqua Runtime) to detect hidden rootkits or TLS over unrecognized proxies.

✅ Audit Network Modifications

• Flag DNS configuration changes, persistent iptables clearing, or proxy overrides.
• Monitor outbound traffic to unrecognized APIs or proxy lists.

✅ Restrict Cloud Usage for Developers

• Limit resource creation privileges and enforce budget controls to detect cryptomining misuse.

✅ Behavioral Integrity Checks

• Monitor CPU/GPU metric spikes unrelated to user tasks.
• Alert when new binaries are executed in-memory without corresponding disk footprints.

📌 Summary

Koske exemplifies the next wave of cyber threats: AI-generated, stealthy, adaptive Linux malware delivered through innocuous-looking images. Its combination of in-memory execution, rootkit persistence, and resource-intensive cryptomining makes it extremely dangerous—especially in cloud or shared environments.Defenders must shift to behavioral detection, memory-level scanning, and execution hygiene enforcement to keep pace with emerging AI-powered malware.

🔗 Stay Secure with CyberDudeBivash

Subscribe to our CyberMagazine at cyberdudebivash.com for weekly deep dives into AI threats, malware analysis, and actionable defense strategies.

Tags: #Koske #LinuxMalware #Cryptomining #PolyglotFiles #Rootkit #AIMalware #MemoryAttack #CloudSecurity #CyberDudeBivash