cybersecurity

6133 readers

8 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks@infosec.pub

tweedge@infosec.pub

AI-Generated Malware in Panda Image Hides Persistent Linux Threat (www.aquasec.com)

submitted 9 months ago by cm0002@lemmy.world to c/cybersecurity@infosec.pub

7 comments fedilink hide all child comments

A sophisticated Linux malware called Koske, discovered in July 2025, hides malicious code within innocent-looking panda bear JPEG images to deploy cryptocurrency miners and establish persistent system access[^1]. Security researchers at AquaSec believe Koske was developed using artificial intelligence, based on its adaptive behaviors and code structure[^2].

The malware exploits misconfigured JupyterLab instances to gain initial access, then downloads two panda images containing separate payloads - a C-based rootkit and a shell script[^3]. Rather than using steganography, Koske employs polyglot files that function as both valid images and executable scripts[^1].

Once executed, the malware:

Deploys CPU and GPU-optimized miners for 18 different cryptocurrencies

Establishes persistence through cron jobs and systemd services

Uses LD_PRELOAD to hide malicious processes and files

Manipulates DNS settings and network configurations

Automatically switches mining pools if one becomes unavailable[^1]

"Impersonation and psychological warfare will be a big thing in the coming years," warns Rem Dudas from Palo Alto Networks, noting how AI enables malware to mimic other threat actors' techniques[^4].

[^1]: BleepingComputer - New Koske Linux malware hides in cute panda images

[^2]: The420 - How Is A "Panda" Becoming a Persistent Threat?

[^3]: Securitricks - AI-Generated Malware in Panda Image Hides Persistent Linux Threat

[^4]: BetaNews - Hackers are using AI and panda images to infect Linux machines

top 7 comments

sorted by: hot top controversial new old

[–] Diplomjodler3@lemmy.world 0 points 9 months ago (2 children)

What the fuck are polyglot files and whoever the fuck thought it was a good idea to invent stuff like that?

[–] baod_rate@programming.dev 0 points 9 months ago

It's just a consequence of independent file formats. There's bound to be overlap in what counts as technically a valid X and also technically a valid Y. It's pretty much unavoidable. The tricky part is figuring out what fits in that sliver of the venn diagram but is also useful as malware.

[–] tribut@infosec.pub 0 points 9 months ago* (last edited 9 months ago)

If you haven't heard of polyglots, you might enjoy every talk by Ange Albertini. Start here (they are all awesome): Funky File Formats

[–] Blaster_M@lemmy.world 0 points 9 months ago

...and this is where sanitizing inputs becomes even more important...

[–] baod_rate@programming.dev 0 points 9 months ago (1 children)

Researchers from AquaSec have noted its ability to automatically switch to backup mining pools if a primary one becomes unavailable, ensuring continuous operation. This level of sophistication has led security experts to believe that large language models or other automation frameworks may have played a role in its development.

Is it just me or is this not a very convincing rationale.

[–] AmbitiousProcess@piefed.social 0 points 9 months ago

Not whatsoever.

Practically any mining software would allow you to change a pool whenever you felt like it, and making a script that just goes "oh, x.x.x.x isn't responding anymore, I should point my hashrate to y.y.y.y now" is... not hard, to say the least.

[–] Goten@piefed.social 0 points 9 months ago

damn chinese