Koske miner – Panda images and malware generated by AI (www.baco.sk)

Researchers uncovered a modular cryptomining campaign that hides a miner (Koske / k0ske) and a tiny rootkit inside seemingly innocuous AI-generated panda JPEGs. Attackers gained initial access via a misconfigured JupyterLab, then used curl/wget with HTTP Range headers and URL shorteners to fetch only the appended malicious payloads from images. The miner installer is a ~2,000-line, nicely formatted shell script (comments in Serbian) that appears AI-generated; it probes platform/CPU/GPU, picks from ~20 supported coins and multiple miners per architecture (x86, aarch64, GPU), and pulls third‑party miners from GitHub. Persistence is achieved via .bashrc/.bash_logout edits, cron, systemd and /etc/rc.local; artifacts are masked by bind‑mounting the miner into /dev/shm/.k0ske and recording the PID in /dev/shm/.hiddenpid. Technical and defensive implications: the companion hideproc rootkit is a 74‑line C shared object that hooks readdir() (via LD_PRELOAD or /etc/ld.so.preload) to hide filenames, directories and the miner process ID from ls/ps. The campaign mixes steganography‑style payload carriage, Range‑based extraction, public GitHub binaries, and simple but effective stealth/persistence—while remaining largely undetected on VirusTotal. For AI/ML practitioners, this is a cautionary example of LLMs producing polished, multilingual malware scaffolding (including repeatable logic errors and platform assumptions) that lowers the bar for attackers; defenders should monitor for appended JPEG payloads, range requests, unusual /dev/shm usage, LD_PRELOAD tampering and the listed operational indicators.