A recent report by Aqua Security sheds light on Koske, an advanced Linux-based malware that marks a new chapter in cyber threats — one where artificial intelligence actively assists attackers in building more sophisticated and evasive payloads.

Koske targets vulnerable Linux systems to hijack their resources for cryptocurrency mining, adapting its strategy based on the host’s hardware. Whether CPU or GPU power is available, the malware switches accordingly to mine coins such as Monero, Ravecoin, Nexa, Tari, and Zano, among others.

Aqua researchers observed Koske spreading through poorly secured JupyterLab instances. Once inside a system, it installs a backdoor and deploys two inconspicuous JPEG images. These files, while showing an innocent panda photo, are in fact polyglots: they include embedded shellcode capable of pulling additional malware components like a rootkit.

What makes Koske stand out is its suspected use of AI in its creation. Aqua believes that large language models (LLMs) were used to craft its modular payloads, design low-profile persistence mechanisms, and enhance its ability to adapt automatically to varied system environments.

For example, Koske checks its access to a GitHub account where it retrieves payloads using three different methods. If blocked, it self-corrects by altering proxy settings, removing iptables rules, and modifying DNS configurations — even locating functional proxies on its own to maintain C2 communication.

Researchers point out AI’s fingerprints in the code’s structure, comments, and logic flow, noting that such patterns make attribution harder and the malware itself more resilient.

Aqua Security warns that AI-assisted malware is just the beginning. The real concern lies ahead: malware that dynamically interacts with AI in real time to adjust behavior based on live feedback. This evolution could lead to threats that are not only stealthier but also exponentially more dangerous for defenders to detect and contain.

Source: https://www.securityweek.com/sophisticated-koske-linux-malware-developed-with-ai-aid