A new Linux malware named Koske is using panda-themed image files to hide its malicious payloads. The threat actors behind it are leveraging polyglot files, legitimate JPEGs with hidden executable code. This stealthy malware targets poorly secured JupyterLab servers to gain access and then installs rootkits and cryptocurrency miners.
Security researchers at Aqua Security discovered the campaign and say Koske is “one of the stealthiest Linux threats seen this year.”
How the Attack Works
The initial compromise occurs through misconfigured JupyterLab servers that lack proper authentication. Once inside, the attacker downloads two panda image files. While they display cute bear photos, the files carry malicious code in their tail sections. One image contains a compiled C-based rootkit, and the other holds a shell script.
These payloads aren’t injected via steganography. Instead, they’re appended after valid image data, creating polyglot files that remain fully viewable but also executable.
What Koske Does After Infection
Once the script runs, it installs persistence mechanisms using:
- systemd services
- cron jobs (every 30 minutes and at reboot)
- .bashrc and .bash_logout modifications
- /etc/rc.local edits
The rootkit uses LD_PRELOAD to hijack system functions and hide files and processes, particularly anything named with “koske” or “hideproc.” This effectively conceals its presence from standard tools.
Koske also disables firewall rules, resets DNS configurations, and locks them using chattr to ensure uninterrupted command-and-control traffic.
Cryptocurrency Mining and AI-Generated Behavior
Koske deploys a miner that adapts to available hardware, CPU or GPU, and supports over 18 different coins. It can automatically switch between coins and mining pools for efficiency. Researchers believe the scripts were likely crafted using large language models (LLMs) due to their structured logic and human-readable formatting.
Why It’s Dangerous
Koske represents a growing trend: LLM-assisted malware delivered through non-traditional vectors. Unlike basic file droppers, it:
- Runs from memory
- Hides processes and files
- Survives reboots
- Alters system settings
- Uses polyglot tricks to bypass scanners
That combination makes detection extremely difficult, especially on unmonitored Linux environments used for research or devops.
Final Thoughts
The Koske Linux malware is a wake-up call for system administrators. It uses cute panda images to hide real threats, rootkits and crypto miners that quietly hijack servers. Its stealth, persistence, and adaptability show how attackers now blend creativity with AI-driven code to bypass traditional defenses. To stay safe, admins must secure endpoints, monitor for unusual changes, and disable public access to tools like JupyterLab.
