Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results.
“While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping,” Palo Alto Networks Unit 42 said. “Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly.”
The cybersecurity company said a manual code review would have resolved these errors and that it’s possible more polished iterations of the malware exist out there in the wild.
The botnet framework consists of multiple components: a C-based bot agent that cross-compiles for multiple architectures (e.g., ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V), a Go-based command-and-control (C2) server with a DDoS-for-hire panel, a custom exploit virtual machine, Docker-based test infrastructure, and an automated build system.
The bot agent is designed to brute-force Telnet access on targeted devices with a set of 1,496 credential pairs, as well as incorporate exploit code targeting more than 30 IoT device families using known vulnerabilities. It communicates with the C2 server over an encrypted TCP channel, while resorting to a SHA512 domain generation algorithm (DGA), peer-to-peer (P2P) gossip protocol with Ed25519-signed commands, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling as a fallback mechanism.
The modular framework’s lineage has been traced back to three different botnets, like Mirai, AISURU, and Wuhan, in addition to partially porting some of its functions from the open-source MHDDoS Python DDoS toolkit. At least one sample of the malware was uploaded to the VirusTotal platform on January 20, 2026, indicating it has been around for over six months. Evidence suggests that work on the botnet commenced one year before that, when the author cloned the MHDDoS repository from GitHub.
“According to the framework’s description, the TuxBot developer built what they called a professional-grade C2 framework platform with a multi-user admin panel, automated deployment, and modular attack capabilities,” researchers Chris Navarrete, Asher Davila, and Doel Santos said.
The Go-based C2 server component uses three different TCP ports for incoming connections –
- TCP port 1999 (or 31337), which is used for handling encrypted command dispatch to connected bots
- TCP port 2222, which presents an interactive shell for operators over SSH
- TCP port 9999, which uses a JSON interface for programmatic access
Once launched, the botnet follows a pre-defined initialization sequence to perform a series of actions –
- Loading the C2 address from a multi-tiered architecture with one primary channel and five alternate mechanisms
- Setting up anti-debugging and anti-VM protections that check for running analysis tools
- Hiding its process name
- Installing persistence
- Launching various sub-modules to mount DDoS attacks, terminate competing processes, establish C2 channels over IRC, HTTP, DNS, and P2P, run scanners for Telnet, SSH, HTTP, and Android Debug Bridge (ADB), spawn a SOCKS5 proxy, and execute a cryptocurrency mining placeholder
The dedicated HTTP scanner, in particular, can manage up to 128 concurrent connections at any given point in time, operating with the goal of discovering vulnerable web interfaces. Persistence, on the other hand, is accomplished by means of a systemd service, cron entries, and a watchdog keepalive process to ensure TuxBot remains operational on the compromised machine.
“Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments,” Unit42 said. “These comments are the LLM’s internal reasoning as it worked through porting tasks. This reasoning is complete with self-interruptions, decisions, and references to ‘the user’ (meaning the developer who prompted the LLM).”
Although TuxBot v3 Evolution is a botnet under development, the core working functions, coupled with its reliance on AI, signal accelerated integration of features, at the same time enabling what looks to be single developer to come up with a multi-pronged toolset with multiple C2 channels, a custom exploit VM, and a Go-based DDoS-for-hire panel.
“Shared infrastructure with Kaitori v3.9 and AISURU tooling places the TuxBot operator within the Keksec ecosystem,” Unit 42 concluded. “This group is known for running multiple IoT botnet variants in parallel. TuxBot appears to be another variant in that portfolio. It’s one that aims to go beyond the usual Mirai fork with its encrypted C2, its DGA, and a modular exploit system, even though that system does not work yet in the version we recovered.”
The disclosure follows the emergence of two other botnets named RustDuck and AryStinger, which have targeted routers, IP cameras, Android boxes, and poorly secured servers to co-opt them into a network built to render online services offline and conduct reconnaissance.