from Zerush@lemmy.ml to security@lemmy.ml on 25 Jul 2025 11:34
https://lemmy.ml/post/33645035
A sophisticated Linux malware called Koske, discovered in July 2025, hides malicious code within innocent-looking panda bear JPEG images to deploy cryptocurrency miners and establish persistent system access[^1]. Security researchers at AquaSec believe Koske was developed using artificial intelligence, based on its adaptive behaviors and code structure[^2].
The malware exploits misconfigured JupyterLab instances to gain initial access, then downloads two panda images containing separate payloads - a C-based rootkit and a shell script[^3]. Rather than using steganography, Koske employs polyglot files that function as both valid images and executable scripts[^1].
Once executed, the malware:
- Deploys CPU and GPU-optimized miners for 18 different cryptocurrencies
- Establishes persistence through cron jobs and systemd services
- Uses LD_PRELOAD to hide malicious processes and files
- Manipulates DNS settings and network configurations
- Automatically switches mining pools if one becomes unavailable[^1]
“Impersonation and psychological warfare will be a big thing in the coming years,” warns Rem Dudas from Palo Alto Networks, noting how AI enables malware to mimic other threat actors’ techniques[^4].
[^1]: BleepingComputer - New Koske Linux malware hides in cute panda images [^2]: The420 - How Is A “Panda” Becoming a Persistent Threat? [^3]: Securitricks - AI-Generated Malware in Panda Image Hides Persistent Linux Threat [^4]: BetaNews - Hackers are using AI and panda images to infect Linux machines
threaded - newest
The image is ai generated obviously. Are they saying the code is as well? Seems really weird
Also it looks like they would have already had to have access to the server and are just using the image as a payload
Hiding code in an image is one of my favourite tricks