Hackers Use Panda Photos to Spread AI Malware

Security researchers have identified a powerful Linux malware called Koske,  which they say may have been developed with artificial  intelligence

Aqua Nautilus discovered this sophisticated, persistent cryptomining tool, which spreads through weaponized image files, specifically, JPEGs of pandas.

“The line between human and machine-generated threats is starting to blur,” Aqua’s Assaf Morag warned. Koske exploits misconfigured servers, particularly JupyterLab instances, and uses dual-purpose image files to hide its payload.

The files appear as normal images, yet they contain programming code that establishes rootkits and shell scripts directly into a system’s memory, bypassing traditional antivirus tools.

Rahjerdi and the team discovered that the malware modifies system files such as ‘.bashrc’ and establishes harmful cron jobs and systemd services, which maintain its operation after system restarts. The attackers modify network configurations, DNS settings, and security rule configurations to keep access open while evading detection.

The malware contains a rootkit that uses ‘LD_PRELOAD’ to hijack the Linux ‘readdir()’ function while embedded within a panda image. The infected files, together with processes, become completely invisible to users. The malware retrieves cryptomining tools from a GitHub repository created solely for this purpose..

Koske’s behavior suggests it was likely built with the help of large language models (LLMs). Its well-structured, modular code, detailed comments, and advanced evasive logic are “indicators of AI-generated code,” according to the researchers.

The malware can even adapt in real-time by testing proxies and switching mining targets based on hardware capabilities.

“Koske represents a chilling benchmark in the evolution of malware,” Morag said. “It signals a future where malware authors harness AI to outpace traditional defenses,” Morag concluded.