AI-Generated Malware in Panda Image Hides Persistent Linux Threat

The Attack Flow

The attack begins by exploiting a misconfigured server, which allows the threat actors to install backdoors and download two seemingly harmless JPEG images from shortened URLs. These images are polyglot files, with malicious payloads appended to the end. Once downloaded, the malware extracts and executes the malicious segments in memory, bypassing antivirus tools. One payload is C code written directly to memory, compiled, and executed as a shared object .so file that functions as a rootkit. The second is a shell script, also executed from memory, which uses standard system utilities to run stealthily and maintain persistence while leaving few visible traces.

Initial Access: Exploiting Jupyter Misconfigurations

The initial access is achieved by exploitation of a misconfiguration JupyterLab instance from a Serbian IP address178.220.112.53 origin. While it is important to cover your bases and dive into the vulnerabilities, misconfiguration or supply chain attack vectors, in this attack we wish to focus on the defense evasion and persistence techniques which are unusual and boosted by AI, and can be applied in any case of misconfiguration or vulnerability exploitation.

Persistence and Execution Chain

Once inside, the threat actors ensure resilience and continued execution via multiple techniques:

• Shell Configuration Hijacking: Edits.bashrc and .bash_logout to execute a custom .bashrc.koske script that maintains communication with command-and-control (C2) infrastructure.
• System Boot Manipulation: Modifies /etc/rc.local and attaches it to a custom systemd service for privileged execution at boot.

modification of /etc/rc.local linked to a custom systemd service

• Cron Jobs: Schedules tasks at 30-minute intervals and on reboot.
• Dedicated systemd Services: Establishes shellkoske.service, a resilient self-restarting downloader and execution manager.

Attacker establishes the shellkoske.service

Payload Delivery via Polyglot Abuse

Main and secondary payloads are delivered via dual-use image files. The threat actors append malicious shell scripts to legitimate image files (e.g., panda bear pictures), which are hidden inside images and kept on legitimate and free image storage platforms (freeimage, postimage and OVH images).

This technique isn’t steganography but rather polyglot file abuse or malicious file embedding. This technique uses a valid JPG file with malicious shellcode hidden at the end. Only the last bytes are downloaded and executed, making it a sneaky form of polyglot abuse. It’s a dual-use file that evades detection by blending image data with executable payloads. As you can see in image below, the initial X bytes are the image itself, while the last part of the file is a shell code aimed to be executed after the main payload is delivered to the targeted system.

Image file with initial bytes as JPEG, ending in executable shell code

Defense Evasion: Rootkit Deployment

A secondary payload is downloaded and extracted from an image of a panda bear. This is a raw C code of a simple userland rootkit that hijacks the standard readdir() function using the LD_PRELOAD mechanism. It is designed to hide files, directories, and processes from user-space monitoring tools by filtering entries based on specific names or a PID read from/dev/shm/.hiddenpid

A rootkit hijacks the standard readdir() function using LD_PRELOAD

The hidden elements include any entry containing the strings koske, hideproc, or hideproc.so based on the malware’s internal name and payload identifiers. When a process (e.g., top, ls, ps etc) attempts to list directories, this malicious readdir() implementation intercepts the call and removes matching entries from the results, effectively making them invisible to the system user.

When loaded via LD_PRELOAD or /etc/ld.so.preload, it enables stealthy persistence by concealing the rootkit’s presence on the system.

Attacker conceals the rootkit’s presence

The use of /dev/shm (shared memory) for temporary file storage and PID hiding, along with the targeting of the /proc filesystem, highlights a strong intent to evade forensic analysis and system administrators.

The script is downloading a ccminer binary from the GitHub account vozstanica, which translates to ‘train station’ in Slovak. This account was created about a year ago solely to host a couple of cryptominers; this looks like part of the infrastructure dedicated to this attack.

Network and DNS Evasion

The malware aggressively manipulates network settings:

• Resets environment proxy variables
• Flushes iptables rules
• Rewrites /etc/resolv.conf, setting Cloudflare and Google DNS and locking it with chattr +i

This enables C2 communication regardless of local restrictions and defeats DNS-level defenses.

AI-Like Adaptation and Behavior

Koske’s connectivity module get_working_proxy reveals sophisticated diagnostic and remediation:

• Tri-Layer Connectivity Checks: Uses curl, wget, and raw TCP to verify GitHub access
• Remediation: Flushes iptables, resets proxy settings, and modifies DNS config if connectivity fails
• Proxy Brute Force: Dynamically discovers working proxies via GitHub lists, testing SOCKS5 and HTTP proxies in parallel

Such adaptive behavior, precision diagnostics, and failover strategies point toward AI assistance or automation frameworks.

Mining Logic and Payload Diversity

Koske isn’t tied to a single coin. It supports 18 different cryptocurrencies, deploying CPU- and GPU-optimized miners based on host capabilities.

• Hardware Detection: Evaluates system CPU/GPU before deployment
• Auto-switching: If a coin or pool fails, it dynamically selects another from its list
• Mining Targets: Includes Monero, Ravencoin, Zano, Nexa, Tari (GPU/CPU), and others

Indicators of AI-Generated Code

Several script components suggest LLM involvement:

• Verbose, well-structured comments and modularity
• Best-practice logic flow with defensive scripting habits
• Obfuscated authorship using Serbian phrases and neutralized syntax

Such code may have been designed to appear “generic”, frustrating attribution and analysis.

AI’s Double-Edged Sword

Koske demonstrates the powerful dual-use nature of AI. While defenders use LLMs for detection, attackers now appear to leverage AI for:

• Creating modular, evasive payloads
• Automatically adapting to system conditions
• Designing flexible persistence with minimal indicators

Even attribution becomes foggy as AI-washed code neutralizes linguistic and structural fingerprints and may even help to display the code as a specific group wrote it.

While using AI to generate better code already poses a challenge for defenders, it’s only the beginning. The real game-changer is AI-powered malware, which is malicious software that dynamically interacts with AI models to adapt its behavior in real-time. This kind of capability could mark a meteoric leap in adversaries’ tactics, putting countless systems at serious risk.

Mapping the Campaign to the MITRE ATT&CK Framework

Our investigation revealed that the attackers employed common techniques throughout the attack. Here we map each component of the attack to the corresponding techniques of the MITRE ATT&CK framework:

Recommendations and Aqua Security Controls

Aqua Security is the pioneer in cloud native security, protecting applications from development to runtime across containers, VMs, and serverless functions. The Aqua Platform offers full lifecycle protection for cloud native workloads, with runtime defenses designed to detect and stop threats like Koske. As part of the platform, Aqua Secure AI extends these protections to AI-powered applications and infrastructure, helping teams monitor and mitigate emerging risks tied to large language models and AI-generated code. From traditional malware to AI-shaped attacks, Aqua provides the visibility and control needed to secure modern workloads. To defend against this new AI-shaped threat, Aqua recommends:

Runtime Detection & Telemetry

• Monitor unauthorized bash modifications (.bashrc, .bash_logout)
• Alert on unexpected DNS rewrites, systemd service additions, or crontab changes
• Leverage telemetry from runtime protection to spot anomalous shell behavior or GPU/CPU resource spikes

Container & Workload Protection

• Block execution of polyglot file payloads in image registries
• Use drift prevention to stop hidden rootkits like hideproc.so from being injected into containers

Network Security

• Audit for proxy abuse and mass egress testing from workloads
• Enforce egress restrictions on DNS and curl/wget use to external domains

AI Threat Detection

• Implement anomaly detection based on comment styles, script verbosity, and structure indicative of LLMs
• Use Aqua Trivy and runtime security policies to block suspicious binaries compiled at runtime

Final Thoughts

Koske represents a chilling benchmark in the evolution of malware: automated, persistent, evasive, and likely AI-enhanced.

Whether written by a novice LLM user or a sophisticated actor masking intent, it signals a future where malware authors harness AI to write code that outpaces traditional defenses. As this arms race accelerates, organizations must embrace behavioral, context-aware security solutions to defend modern Linux workloads.