Attackers are increasingly leveraging AI to compromise critical business assets, signaling a dangerous evolution in the threat landscape. Check Point Research’s AI Security Report 2025 highlights how threat actors are using AI for deepfake impersonation, automated malware creation, jailbroken LLMs, and generative disinformation campaigns. Following the campaigns involving AI lures to disseminate CyberLock, Lucky_Gh0$t, and Numero malware, cybersecurity experts have now identified a new AI-based threat. Dubbed Koske, this sophisticated malware appears to have been significantly aided by artificial intelligence during its development, underscoring the growing weaponization of AI in modern cyberattacks.
Detect Koske Malware Attacks
According to Netacea research, 93% of businesses believe they will face daily AI-driven attacks within the next year. The Splunk State of Security 2025 Report further reveals that security leaders see generative AI being used by threat actors to enhance the effectiveness of existing attacks (32%), increase their volume (28%), create entirely new attack methods (23%), and conduct reconnaissance (17%). These insights highlight the growing threat potential of AI as an offensive tool, with more malicious strains like Koske malware expected to pop up.
Register for the SOC Prime Platform to benefit from the defensive capabilities of AI and detect Koske malware attacks at the earliest stages of development. The Platform delivers timely threat intelligence and actionable detection content, backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Click the Explore Detections button below to access a curated stack of detection rules specifically designed to help identify and respond to Koske malware activity or use “Koske” tag in the Threat Detection Marketplace.
All detections are compatible with multiple SIEM, EDR, and Data Lake solutions and mapped to the MITRE ATT&CK® framework. Additionally, each rule is packed with detailed metadata, including threat intel references, attack timelines, triage recommendations, and more.
Additionally, security experts might streamline threat investigation using Uncoder AI, a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages. For instance, security professionals can use Aqua Nautilus research details to generate an Attack Flow v3 using recently upgraded Uncoder AI functionality, leveraging RAG-powered MITRE ATT&CK® v17.1.
Koske Linux Malware Analysis
AI is ushering in a new wave of cyber threats, as attackers harness it to refine and massively scale their tactics. At the same time, AI is becoming a cornerstone of modern defense strategies. The future of cybersecurity will be shaped by how effectively AI integrates with other emerging technologies. Yet, threat actors continue to innovate, finding new ways to exploit AI for their own gain.
Aqua Nautilus researchers have recently uncovered a novel adversary campaign using an advanced Linux threat with sophisticated detection evasion techniques, signaling this troubling evolution. Koske is a new Linux AI-generated malware designed for cryptocurrency mining operations. More specifically, the malware’s adaptive capabilities suggest its development with LLMs or automation frameworks. Koske is designed to install cryptocurrency miners optimized for both CPU and GPU, exploiting infected systems to mine more than 18 different coins. Featuring modular payloads, stealthy rootkits, and distribution via weaponized image files, Koske exemplifies a new generation of persistent, highly adaptable malware. Defenders observed the malware being delivered through improperly configured JupyterLab web-based development environments.
The infection chain starts with abusing a misconfigured JupyterLab server, enabling adversaries to install backdoors and download two JPEG images from shortened URLs. These are polyglot files containing appended malicious payloads that execute directly in memory, bypassing antivirus detection. One payload is C code compiled into a rootkit, while the other is a shell script that runs stealthily using system utilities to maintain persistence.
Initial access stems from a Serbian IP (178.220.112.53). Once inside, attackers employ AI-boosted evasion and persistence techniques, including hijacking shell configurations by modifying .bashrc and .bash_logout to call a custom script, manipulating system boot via /etc/rc.local and custom systemd services, and scheduling cron jobs. Payloads are hidden in dual-use images hosted on legitimate platforms. The polyglot files weaponize seemingly harmless JPEGs of panda bears as lures, with malicious shellcode appended to the image data, making them extremely challenging to detect.
A secondary payload, extracted from a panda bear image, contains raw C code for a userland rootkit that hijacks the readdir() function via the LD_PRELOAD mechanism. This rootkit hides files, directories, and processes by filtering entries based on specific names, using a PID stored in /dev/shm/.hiddenpid. Intercepting directory listings from tools like ls, ps, or top renders malicious components invisible. Loaded through LD_PRELOAD or /etc/ld.so.preload, it ensures stealthy persistence while evading forensic detection.
Koske manipulates network settings by resetting proxy variables, flushing iptables rules, forcing Cloudflare/Google DNS, and locking changes with chattr +i, ensuring uninterrupted C2 communication and bypassing DNS defenses. Koske malware supports 18 cryptocurrencies, deploying CPU/GPU-optimized miners based on hardware detection and auto-switching to alternate coins or pools if one fails.
The script’s verbose comments, modular best-practice logic, and obfuscated Serbian-based syntax suggest LLM-assisted development designed to appear generic and hinder attribution or analysis. As potential Koske mitigation measures, defenders recommend monitoring for unauthorized bash modifications, DNS rewrites, new systemd services, and abnormal GPU/CPU usage. In addition, implementing container protection to block polyglot payloads, preventing hidden rootkits from injection, and strengthening network security can help safeguard the organization’s infrastructure against Koske malware attacks. Finally, security teams should apply AI-driven anomaly detection to identify scripts with LLM-like characteristics, such as verbose comments and modular structures.
Koske marks a troubling milestone in malware evolution as an automated, stealthy, persistent, and AI-powered threat. To keep pace with this escalating arms race, organizations need to adopt behavioral, context-driven security measures to protect modern Linux environments. SOC Prime curates a complete product suite that fuses AI expertise, automation, real-time threat intelligence, and more advanced capabilities to help organizations stay ahead of sophisticated cyber attacks.
The post Koske Malware Detection: New AI-Generated Linux Threat in the Wild appeared first on SOC Prime.
