Koske AI generated malware hides in panda images to mine cryptocurrency
Koske AI generated malware hides in panda images to mine cryptocurrency
Threat actor: Unknown – opportunistic attackers exploiting misconfigured JupyterLab servers
Threat type: AI‑assisted Linux malware for cryptomining
Exploited weakness: Unauthenticated and misconfigured JupyterLab server exposure
Malware used: Koske (rootkit and shell script), with associated miners such as ccminer
Last observed: July 26 2025
Threat score: 🔴 High (8 / 10) – due to novel AI‑generated code, stealthy persistence and potential to infect any misconfigured server.
Overview
Koske is a sophisticated Linux malware campaign uncovered by Aqua Security’s Nautilus research team. Attackers exploit misconfigured JupyterLab instances to download two panda‑picture files from short URLs. These images are polyglot JPEGs – legitimate pictures with appended malicious code. When executed on a compromised server, the images unpack a shell script and a compiled C rootkit directly in memory. The shell script edits system configurations (such as .bashrc, .bash_logout and /etc/rc.local) and installs a custom shellkoske.service to ensure persistence. The rootkit hijacks the readdir() system call via the LD_PRELOAD mechanism, hiding files and processes named koske, hideproc and related strings. Once established, the malware downloads and executes cryptomining software, selecting from up to 18 different cryptocurrencies based on the host’s hardware. Koske’s code exhibits adaptive behaviour such as proxy‑checking and DNS resetting, indicating AI or automation assistance.
Key details
- Targeted systems and sectors – Servers running JupyterLab or similar web‑based development environments across all industries. The campaign is opportunistic rather than sector‑specific, affecting any misconfigured system exposed to the internet.
- Initial delivery mechanism – Attackers exploit misconfigured JupyterLab servers and download two pandas from shortened URLs (hosted on short[.]gy and tiny[.]cc) and free image hosting services. These polyglot JPEGs contain appended shell script and C code.
- Persistence and execution – The malware modifies
.bashrc,.bash_logoutand/etc/rc.local, registers a customshellkoske.service, and creates cron jobs to execute every 30 minutes and at boot. It compiles the downloaded C code into a rootkit in memory and loads it usingLD_PRELOAD, hijacking thereaddir()call to hide evidence. - Evasion capabilities – Koske uses a user‑mode rootkit to hide files and processes, stores temporary data in
/dev/shm, and rewrites/etc/resolv.confto lock Cloudflare/Google DNS viachattr +i, preventing detection or blocking. The polyglot images bypass traditional antivirus because the malicious payload lies at the end of a legitimate image. - Network communication – The shell script resets proxy variables, flushes iptables rules and performs connectivity checks using
curl,wgetand raw TCP. It attempts to brute‑force working SOCKS5 and HTTP proxies from GitHub lists to reach its C2 and mining infrastructure. - Final objective – Deploy cryptominers for at least 18 different cryptocurrencies, adjusting selection based on CPU/GPU availability. The downloaded miner is hosted on a GitHub account named vozstanica.
- Attribution – No direct attribution. The use of Serbian IP infrastructure, free image‑hosting services and a Slovak‑named GitHub account suggests a possible Eastern European actor, but AI‑generated code obscures linguistic fingerprints.
Attack vectors
| Vector | Mechanism | Detail |
|---|---|---|
| Exploitation of misconfiguration | Remote access | Attackers scan for unauthenticated JupyterLab servers. They use a Serbian IP (178[.]220[.]112[.]53) to exploit misconfigured instances and issue commands to download malicious images. |
| Initial execution | Polyglot file abuse | The victim server downloads JPEG files from tiny[.]cc/panda-v14 and k0ske[.]short[.]gy/panda_v14, which contain appended shell scripts and C code. When executed, these payloads run in memory, compile the rootkit and start a shell script. |
| Persistence | Configuration hijack | The shell script edits .bashrc, .bash_logout and /etc/rc.local, registers a shellkoske.service, and schedules cron tasks every 30 minutes. |
| Rootkit deployment | Process hiding | The C rootkit uses LD_PRELOAD to hijack the readdir() function, hiding files and processes containing koske, hideproc or hideproc.so. |
| Network evasion | DNS and proxy manipulation | Koske resets proxy variables, flushes iptables rules, rewrites DNS settings with Cloudflare/Google addresses and locks them with chattr +i. It brute‑forces working proxies via GitHub lists. |
| Post‑exploitation | Cryptomining | Downloads a cryptominer from the GitHub account vozstanica and mines up to 18 cryptocurrencies. It monitors hardware and dynamically switches to an alternate coin or pool if needed. |
Known indicators of compromise (IoCs)
IP address
- 178[.]220[.]112[.]53 – Attackers’ Serbian IP used for initial exploitation.
URLs hosting malicious images
- hxxps://iili[.]io/FhFK3Eg.jpg
- hxxps://k0ske[.]short[.]gy/panda_v14
- hxxp://tiny[.]cc/panda-v14
- hxxps://i[.]imgs[.]ovh/2025/07/17/DmvmA.jpeg
- hxxps://i[.]imgs[.]ovh/2025/07/17/DGlLc.jpeg
Malicious files and hashes
| File (purpose) | MD5 hash | Comment |
|---|---|---|
hideproc.so (rootkit binary) | 63e613cab023c023d74e9dc8e0168e54 | User‑land rootkit loaded via LD_PRELOAD to hide processes and files. |
ccTltpHf.o (object file) | 2ed2e0e3d1ccfc20de48fa6bf49e6c89 | Compiled object used by the rootkit. |
hideproc.c (source code) | 76c5d978d6ef48af4350a12f238e48c4 | Source code of the rootkit. |
ccminer (cryptominer) | 6e9929b127afc5b4351ba3318e2178dc | CPU/GPU mining program downloaded from GitHub. |
cpuMinerTermux.koske | 305264d95d5056bc5de3a0b683bcd7eb | Termux variant of the miner. |
Other indicators
- Malicious GitHub account:
vozstanica– hosts compiled cryptominers. - Service names / files:
.bashrc.koske,shellkoske.service,/etc/rc.localmodifications and cron jobs at 30‑minute intervals. - Hidden strings: Files or processes named
koske,hideproc, orhideproc.somay indicate rootkit presence.
Mitigation and prevention
- Lock down exposed JupyterLab and development services – Restrict access to JupyterLab via authentication, VPN or IP allow‑lists. Regularly update to fix vulnerabilities such as CVE‑2025‑30370, and disable unauthenticated git extensions.
- Monitor system configuration files – Regularly audit
.bashrc,.bash_logout,/etc/rc.localand systemd service definitions for unauthorised modifications. Look for unusual entries like.bashrc.koskeorshellkoske.service. - Inspect LD_PRELOAD settings – Check
/etc/ld.so.preloadand environment variables for unknown shared libraries. Investigate any references tohideproc.soor similar names. - Block known IoCs – Add the malicious IP (
178[.]220[.]112[.]53) and domains (tiny[.]cc, short[.]gy, i[.]imgs[.]ovh) to firewall and DNS blocklists. Use URL filtering to prevent downloads of polyglot images listed above. - Deploy endpoint detection and response (EDR) – Use EDR tools capable of detecting user‑mode rootkits and unusual process hiding behaviours. Monitor for modifications to
readdir()and unusual use ofLD_PRELOAD. - Network segmentation and proxy enforcement – Block unnecessary outbound connections from servers and enforce the use of monitored proxies. Regularly audit iptables rules and DNS configurations to detect unauthorised changes.
- Educate administrators – Train DevOps and data‑science teams on the risks of exposing development tools like JupyterLab to the internet. Encourage strong authentication, key‑based SSH, and least‑privilege principles.
Risk assessment
Koske represents a notable shift in the malware landscape due to its AI‑assisted development and multiple evasion techniques. Its opportunistic targeting of misconfigured JupyterLab servers means any organisation deploying these tools without proper security controls could become a victim. The use of polyglot image files, in‑memory payload execution and a user‑mode rootkit severely complicate detection. By automatically switching between 18 cryptocurrencies and employing adaptive proxy logic, Koske maximises profitability while remaining persistent. Given these factors, Koske’s threat level is high. However, its dependence on misconfiguration exploitation limits the scope; organisations that follow secure deployment practices can significantly reduce risk.
Conclusion
The Koske malware campaign demonstrates how adversaries are blending AI‑generated code with creative delivery techniques to build persistent cryptomining bots. By exploiting unauthenticated JupyterLab instances, attackers deliver polyglot panda images that unpack a stealthy rootkit and shell scripts directly in memory. The malware then hijacks system configuration files and systemd services to survive reboots, hides its processes via LD_PRELOAD hooks, manipulates DNS and proxy settings, and mines numerous cryptocurrencies using adaptive logic. Defenders must proactively lock down development tools exposed to the internet, monitor for the specific IoCs and system modifications listed above, and deploy detection solutions capable of identifying rootkit behaviour. The emergence of AI‑assisted malware like Koske underscores the need for behavioural detection and timely patching to stay ahead in the evolving cyber threat landscape.
Sources
- Dark Reading - AI-Generated Linux Miner 'Koske' Beats Human Malware
- Security Affairs - Koske, a new AI-Generated Linux malware appears in the threat landscape
- Aqua - AI-Generated Malware in Panda Image Hides Persistent Linux Threat
- The Hacker News - Soco404 and Koske Malware Target Cloud Services with Cross-Platform Cryptomining Attacks