Koske Linux Malware: An Emerging AI-Assisted Cryptomining Threat

---

Koske is a novel Linux malware campaign leveraging AI-generated modular payloads and polyglot files to stealthily deploy CPU- and GPU-optimized cryptocurrency miners, illustrating the growing fusion of artificial intelligence and malware development.

Overview

Koske is a sophisticated Linux threat discovered in mid-2025. Its hallmark features include:

• AI-Assisted Development: Researchers attribute its modular design, adaptive persistence techniques, and payload versatility to assistance from large language models or automation frameworks.
• Polyglot Image Delivery: Two seemingly benign JPEGs of pandas conceal shell scripts and C code, executable in memory without touching disk.
• Cryptomining Focus: Once installed, Koske deploys optimized miners for at least 18 cryptocurrencies—including Monero, Ravencoin, Zano, Nexa, and Tari—automatically switching pools if needed.

Attack Chain

Technical Highlights

1. Polyglot Files vs. Steganography
   Koske uses valid JPEG headers followed by shell and C code. Unlike steganography, no data is hidden in image pixels; instead, the file is both a valid image and executable script.
2. Rootkit Implementation
   The C payload is compiled in memory into a shared object (.so) and injected using LD_PRELOAD. It hooks functions such as readdir() to hide processes, files, and directories containing keywords like “koske” or stored hidden PIDs under /dev/shm/.hiddenpid.
3. AI-Driven Code Generation
   The malware’s modular, evasive, and adaptive scripts exhibit patterns consistent with AI-generated code, suggesting the use of LLMs to produce varied persistence and reconnaissance modules with little human trace.

Indicators of Compromise

• Downloads from free image hosting domains (e.g., OVH Images, Freeimage, Postimage)
• Cron entries scheduling every 30 minutes for unknown scripts
• Custom systemd units named with “koske” or “shellkoske”
• Immutable /etc/resolv.conf locked by chattr +i
• Hidden libraries loaded via LD_PRELOAD revealing rootkit hooks

Mitigation Strategies

• Harden JupyterLab Instances: Disable anonymous access and enforce strong authentication and network restrictions.
• File Execution Policies: Mount upload directories with noexec flags and validate full byte streams, not just file extensions or signatures.
• Memory-Based Threat Monitoring: Deploy EDR solutions capable of detecting in-memory execution and polyglot file abuse.
• Proxy and DNS Hygiene: Monitor and restrict unauthorized changes to DNS settings and outbound proxy configurations.
• Routine Auditing: Regularly inspect cron jobs, systemd services, shell startup files, and loaded libraries for anomalies.

Koske exemplifies the next wave of AI-powered malware: dynamically adaptive, stealthy, and built for resource exploitation. Proactive defenses—especially around misconfigured services and in-memory monitoring—are critical to disrupting such advanced cryptomining threats.