AI Turns Panda Image Into ‘New Breed of Persistent Malware’ – Source: www.techrepublic.com

Hackers are embedding AI-generated malware hidden inside seemingly benign panda images to covertly hijack Linux machines for cryptomining, according to Aqua Security. The stealthy code evades antivirus software and leaves almost no trace.

The campaign uses a “new breed of persistent malware,” combining image-based payload delivery, AI-assisted scripting, and stealth techniques such as rootkit modules to maintain long-term control over infected systems.

Malware inside innocent-looking panda images

Assaf Morag, Director of Threat Intelligence at Aqua Nautilus, identified the malware as Koske — a modular threat designed to run quietly in the background. It is capable of mining multiple cryptocurrencies, adapting its behavior based on the infected system’s configuration.

The malware is embedded in panda images hosted on public image-sharing platforms. These images, though seemingly harmless, contain embedded code that infects Linux systems without triggering traditional antivirus defences.

Aqua researchers traced the command-and-control infrastructure to a Serbian IP address. The attackers initially gained access through an exposed JupyterLab instance — a common web-based interface used in data science and development workflows.

A warning of what is to come

Once inside a system, Koske executes entirely in memory, compiling code on the fly rather than writing to disk. This in-memory execution helps it evade many common detection mechanisms.

A second payload includes software that hides processes and files from view, or a rootkit. In this case, it uses LD_PRELOAD to hijack system functions and make the malware invisible to basic monitoring tools.

Parts of the code show patterns typical of AI-generated scripting. Aqua researchers noted clean structure, modular logic, and neutralized syntax — which are hallmarks of large language model (LLM) involvement.

The malware is built to adapt. If one connection fails or a mining pool goes down, it switches to another, using public proxy lists and diagnostic tools to keep itself running without interruption. According to Morag, “It is a warning of what is to come.”

AI’s growing role in cyber attacks

Koske is part of a broader trend involving AI-assisted cyber threats. Recent cases include deepfake scams targeting company executives and chatbots being used to generate malicious code. According to Check Point, cyber attacks surged by 47% in the first quarter of 2025, driven in part by automated toolkits and AI-generated malware that lower the barrier of entry for less-skilled attackers.

Cryptocurrency remains a top target. Chainalysis’ mid-year update revealed that more than $2.17 billion in crypto has been stolen so far in 2025, with nearly a quarter of that tied to personal wallet compromises. Experts point to the accessibility of AI tools as a key enabler of more targeted attacks on individual users.

Detecting malware that hides in plain sight

Aqua Nautilus urges users to remain vigilant for subtle system changes that may indicate hidden threats. These include unauthorized changes to .bashrc files and unexpected background tasks added through cron or systemd.

Locked changes to DNS settings, such as a modified /etc/resolv.conf, can signal attempts to control outbound traffic. Sudden spikes in CPU or GPU use may also suggest cryptomining in progress.

Image files or binaries compiled during runtime should be treated with caution as these may carry hidden payloads disguised as legitimate files, per the Aqua team.

The researchers emphasized that scripting patterns with clean structure, modular logic, and generic comments may indicate AI-assisted malware. Additionally, network activity involving tools like curl or wget may reveal communication with remote attacker infrastructure.

These seemingly minor signs, when viewed together, point to a threat designed to stay hidden in plain sight.

Attackers are increasingly using AI to impersonate trusted platforms and bypass human defenses. Read our coverage on AI-generated phishing sites mimicking Okta and Microsoft 365 to learn more.