AI-Generated Malware in Panda Image Hides Persistent Linux Threat

A sophisticated Linux malware called Koske, discovered in July 2025, hides malicious code within innocent-looking panda bear JPEG images to deploy cryptocurrency miners and establish persistent system access[^{1]. Security researchers at AquaSec believe Koske was developed using artificial intelligence, based on its adaptive behaviors and code structure[}2].

The malware exploits misconfigured JupyterLab instances to gain initial access, then downloads two panda images containing separate payloads - a C-based rootkit and a shell script[^{3]. Rather than using steganography, Koske employs polyglot files that function as both valid images and executable scripts[}1].

Once executed, the malware:

• Deploys CPU and GPU-optimized miners for 18 different cryptocurrencies
• Establishes persistence through cron jobs and systemd services
• Uses LD_PRELOAD to hide malicious processes and files
• Manipulates DNS settings and network configurations
• Automatically switches mining pools if one becomes unavailable[^1]

"Impersonation and psychological warfare will be a big thing in the coming years," warns Rem Dudas from Palo Alto Networks, noting how AI enables malware to mimic other threat actors' techniques[^4].

[^{1]: [BleepingComputer - New Koske Linux malware hides in cute panda images](https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hides-in-cute-panda-images/) [}2]: The420 - How Is A "Panda" Becoming a Persistent Threat? [^{3]: [Securitricks - AI-Generated Malware in Panda Image Hides Persistent Linux Threat](https://securitricks.com/attackreports/ai-generated-malware-in-panda-image-hides-persistent-linux-threat) [}4]: BetaNews - Hackers are using AI and panda images to infect Linux machines