AquaSec researchers have uncovered Koske, a new Linux malware likely built with help from artificial intelligence, designed specifically for cryptomining operations. The malware uses advanced techniques like rootkits and polyglot image files to avoid detection.
Attackers gain access through misconfigured servers, then drop backdoors and two JPEG-based polyglot files via shortened links. These image files, stored on free image-hosting platforms, contain hidden malicious code at the end. One file delivers a rootkit in C, while the other runs a stealthy shell script to maintain persistence.
Instead of traditional steganography, Koske uses malicious file embedding. Only the final bytes of the image files are executed in memory, blending image and executable code to stay under the radar.
Entry was achieved through a misconfigured JupyterLab instance. Attackers secured long-term access by modifying shell configurations and startup processes to run hidden scripts.
Koske’s connectivity module shows adaptive behavior, testing GitHub access in multiple ways, resetting DNS and proxy settings, and brute-forcing proxies dynamically. These features suggest AI-driven development.
Researchers noted signs of large language model use, including clean code structure, defensive scripting, and comments with Serbian language phrases. The malware appears to be designed to resist attribution.
Koske can mine 18 cryptocurrencies, choosing the most efficient miners based on system specs. It can switch between coins like Monero, Ravencoin, Zano, Nexa, and Tari depending on availability.
Although AquaSec linked elements of the campaign to Serbia and Slovakia, they were unable to confirm the origin. The report warns that while AI-generated code is already a challenge, AI-powered malware that adapts in real time poses a much greater threat to cybersecurity.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
