AI Turns Panda Image Into ‘New Breed of Persistent Malware’

AI Turns Panda Image Into ‘New Breed of Persistent Malware’

AI Turns Panda Image Into ‘New Breed of Persistent Malware’

Source: Aqua Security

AI-assisted malware named Koske is hidden inside panda images, silently hijacking Linux machines for crypto mining while evading detection.

Écrit par
Liz Ticong
Liz Ticong
Jul 28, 2025

Hackers are embedding AI-generated malware hidden inside seemingly benign panda images to covertly hijack Linux machines for cryptomining, according to Aqua Security. The stealthy code evades antivirus software and leaves almost no trace.

The campaign uses a “new breed of persistent malware,” combining image-based payload delivery, AI-assisted scripting, and stealth techniques such as rootkit modules to maintain long-term control over infected systems.

Malware inside innocent-looking panda images

Assaf Morag, Director of Threat Intelligence at Aqua Nautilus, identified the malware as Koske — a modular threat designed to run quietly in the background. It is capable of mining multiple cryptocurrencies, adapting its behavior based on the infected system’s configuration.

The malware is embedded in panda images hosted on public image-sharing platforms. These images, though seemingly harmless, contain embedded code that infects Linux systems without triggering traditional antivirus defences.

Aqua researchers traced the command-and-control infrastructure to a Serbian IP address. The attackers initially gained access through an exposed JupyterLab instance — a common web-based interface used in data science and development workflows.

A warning of what is to come

Once inside a system, Koske executes entirely in memory, compiling code on the fly rather than writing to disk. This in-memory execution helps it evade many common detection mechanisms.

A second payload includes software that hides processes and files from view, or a rootkit. In this case, it uses LD_PRELOAD to hijack system functions and make the malware invisible to basic monitoring tools.

Parts of the code show patterns typical of AI-generated scripting. Aqua researchers noted clean structure, modular logic, and neutralized syntax — which are hallmarks of large language model (LLM) involvement.

The malware is built to adapt. If one connection fails or a mining pool goes down, it switches to another, using public proxy lists and diagnostic tools to keep itself running without interruption. According to Morag, “It is a warning of what is to come.”

Advertisement

Must-read security coverage

AI’s growing role in cyber attacks

Koske is part of a broader trend involving AI-assisted cyber threats. Recent cases include deepfake scams targeting company executives and chatbots being used to generate malicious code. According to Check Point, cyber attacks surged by 47% in the first quarter of 2025, driven in part by automated toolkits and AI-generated malware that lower the barrier of entry for less-skilled attackers.

Cryptocurrency remains a top target. Chainalysis’ mid-year update revealed that more than $2.17 billion in crypto has been stolen so far in 2025, with nearly a quarter of that tied to personal wallet compromises. Experts point to the accessibility of AI tools as a key enabler of more targeted attacks on individual users.

Detecting malware that hides in plain sight

Aqua Nautilus urges users to remain vigilant for subtle system changes that may indicate hidden threats. These include unauthorized changes to .bashrc files and unexpected background tasks added through cron or systemd.

Locked changes to DNS settings, such as a modified /etc/resolv.conf, can signal attempts to control outbound traffic. Sudden spikes in CPU or GPU use may also suggest cryptomining in progress.

Image files or binaries compiled during runtime should be treated with caution as these may carry hidden payloads disguised as legitimate files, per the Aqua team.

The researchers emphasized that scripting patterns with clean structure, modular logic, and generic comments may indicate AI-assisted malware. Additionally, network activity involving tools like curl or wget may reveal communication with remote attacker infrastructure.

These seemingly minor signs, when viewed together, point to a threat designed to stay hidden in plain sight.

Attackers are increasingly using AI to impersonate trusted platforms and bypass human defenses. Read our coverage on AI-generated phishing sites mimicking Okta and Microsoft 365 to learn more.

Liz Ticong

Liz Ticong is a technology writer specializing in artificial intelligence, cybersecurity, software reviews, and emerging business technologies. With more than a decade of professional writing experience and over five years contributing technology content for TechnologyAdvice, she helps readers understand complex technologies and evaluate the tools that best fit their needs. Liz has extensive experience researching, testing, and analyzing software platforms, AI tools, and technology solutions. Her work includes in-depth software reviews, buyer’s guides, product comparisons, and technology news coverage designed to help businesses make informed purchasing and implementation decisions. She regularly evaluates AI applications, automation tools, cybersecurity solutions, and business software, providing practical insights based on hands-on testing and research. In addition to her work with TechnologyAdvice, Liz has contributed technology content to leading industry publications, including eWeek and TechRepublic. Her background in technical writing and software analysis enables her to translate complex technical concepts into clear, actionable guidance for both business and technology audiences. Liz holds a bachelor's degree in Broadcast Communication from the Polytechnic University of the Philippines and continues to expand her expertise through ongoing education in artificial intelligence and emerging technologies. Through her writing, she helps readers navigate a rapidly evolving technology landscape with practical, research-driven insights and real-world product analysis.