from cm0002@lemmy.world to cybersecurity@infosec.pub on 25 Jul 14:07
https://lemmy.world/post/33457177
A sophisticated Linux malware called Koske, discovered in July 2025, hides malicious code within innocent-looking panda bear JPEG images to deploy cryptocurrency miners and establish persistent system access[^1]. Security researchers at AquaSec believe Koske was developed using artificial intelligence, based on its adaptive behaviors and code structure[^2].
The malware exploits misconfigured JupyterLab instances to gain initial access, then downloads two panda images containing separate payloads - a C-based rootkit and a shell script[^3]. Rather than using steganography, Koske employs polyglot files that function as both valid images and executable scripts[^1].
Once executed, the malware:
- Deploys CPU and GPU-optimized miners for 18 different cryptocurrencies
- Establishes persistence through cron jobs and systemd services
- Uses LD_PRELOAD to hide malicious processes and files
- Manipulates DNS settings and network configurations
- Automatically switches mining pools if one becomes unavailable[^1]
“Impersonation and psychological warfare will be a big thing in the coming years,” warns Rem Dudas from Palo Alto Networks, noting how AI enables malware to mimic other threat actors’ techniques[^4].
[^1]: BleepingComputer - New Koske Linux malware hides in cute panda images
[^2]: The420 - How Is A “Panda” Becoming a Persistent Threat?
[^3]: Securitricks - AI-Generated Malware in Panda Image Hides Persistent Linux Threat
[^4]: BetaNews - Hackers are using AI and panda images to infect Linux machines
threaded - newest
What the fuck are polyglot files and whoever the fuck thought it was a good idea to invent stuff like that?
It’s just a consequence of independent file formats. There’s bound to be overlap in what counts as technically a valid
X
and also technically a validY
. It’s pretty much unavoidable. The tricky part is figuring out what fits in that sliver of the venn diagram but is also useful as malware.If you haven’t heard of polyglots, you might enjoy every talk by Ange Albertini. Start here (they are all awesome): Funky File Formats
…and this is where sanitizing inputs becomes even more important…
Is it just me or is this not a very convincing rationale.
Not whatsoever.
Practically any mining software would allow you to change a pool whenever you felt like it, and making a script that just goes "oh, x.x.x.x isn't responding anymore, I should point my hashrate to y.y.y.y now" is... not hard, to say the least.
damn chinese
Might be <%your country%>?