AquaSec researchers have identified a new, highly advanced Linux malware strain dubbed Koske, which leverages AI-driven techniques and clever obfuscation tactics to hijack computing resources for cryptomining. What sets Koske apart is its use of panda-themed JPEG images embedded with malicious payloads, which are injected directly into system memory.

Koske’s Origins and Behavior

While precise attribution remains unclear, Koske’s code and infrastructure provide some clues. Analysts detected Serbian IP addresses, Slovak language strings in GitHub repositories, and scripts containing localized phrases. These findings point to Eastern Europe, but without definitive proof, the actor remains unknown.

Koske’s design is adaptive—a key indicator that AI, possibly large language models (LLMs) or automation frameworks, played a role in its development. This malware evaluates the host’s capabilities before deployment, dynamically selecting between 18 different cryptocurrencies for mining, including:

• Monero

• Ravencoin

• Zano

• Nexa

• Tari

Both CPU and GPU optimizations are leveraged, maximizing profit while remaining stealthy.

How Koske Infects Systems

Initial access is typically achieved by exploiting misconfigured JupyterLab environments, which allow command execution. Once inside, Koske operators upload two panda-themed .JPEG images to the system. These aren’t ordinary pictures—they’re polyglot files.

What Are Polyglot Files?

Polyglot files are cleverly constructed to be interpreted in multiple ways. In Koske’s case, the JPEG has valid image headers, so image viewers only see a harmless panda. But within the same file lies:

• Shell scripts

• C-based payloads

Depending on how the file is accessed—image viewer vs. command line interpreter—the embedded code is executed. This dual-use nature allows the malware to fly under the radar of many security tools.

Advanced Persistence and Evasion Tactics

Koske ensures long-term access and operational resilience by:

• Rewriting /etc/resolv.conf to use Cloudflare and Google DNS

• Locking the file using chattr +i

• Resetting iptables rules

• Deleting proxy-related system variables

• Deploying custom scripts that force network access via curl, wget, and raw TCP requests

These steps help it bypass firewalls and proxies, making it extremely hard to detect or block.

Moreover, its in-memory execution approach ensures minimal traces are left behind. The malware drops:

• A shared object (.so) rootkit-like payload compiled from C code

• A shell script that runs standard Linux utilities for stealth and persistence

Implications and Cybersecurity Concerns

Koske is more than just another cryptojacking threat. Its AI-like adaptability, memory-based execution, and multi-layered evasion mechanisms make it a sophisticated piece of malware. Unlike traditional threats, Koske doesn’t just run a static script—it thinks, adapts, and hides intelligently.

The use of polyglot files and cloud-hosted images from services like OVH, FreeImage, and PostImage further blurs the line between legitimate traffic and malicious activity.

Koske represents a growing trend in cybercrime: the integration of AI tools and automation frameworks into malware development. As threats become more dynamic and intelligent, defenders must evolve their strategies as well. Vigilance, regular updates, and tight configurations—especially for tools like JupyterLab—are essential in this new era of cyber threats.