TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development
TuxBot v3 Evolution IoT botnet framework shows signs of LLM-assisted development.
Summary
Cybersecurity researchers have identified TuxBot v3 Evolution, a new IoT botnet framework that appears to have been developed with the assistance of a large language model (LLM). While the LLM helped in code generation, several functions failed to work correctly due to a safety disclaimer being left in the code. The botnet framework includes a C-based bot agent, a Go-based C2 server, and targets IoT devices by brute-forcing Telnet access and exploiting known vulnerabilities.
Full text
TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development Ravie LakshmananJul 15, 2026IoT Security / Network Security Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results. "While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping," Palo Alto Networks Unit 42 said. "Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly." The cybersecurity company said a manual code review would have resolved these errors and that it's possible more polished iterations of the malware exist out there in the wild. The botnet framework consists of multiple components: a C-based bot agent that cross-compiles for multiple architectures (e.g., ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V), a Go-based command-and-control (C2) server with a DDoS-for-hire panel, a custom exploit virtual machine, Docker-based test infrastructure, and an automated build system. The bot agent is designed to brute-force Telnet access on targeted devices with a set of 1,496 credential pairs, as well as incorporate exploit code targeting more than 30 IoT device families using known vulnerabilities. It communicates with the C2 server over an encrypted TCP channel, while resorting to a SHA512 domain generation algorithm (DGA), peer-to-peer (P2P) gossip protocol with Ed25519-signed commands, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling as a fallback mechanism. The modular framework's lineage has been traced back to three different botnets, like Mirai, AISURU, and Wuhan, in addition to partially porting some of its functions from the open-source MHDDoS Python DDoS toolkit. At least one sample of the malware was uploaded to the VirusTotal platform on January 20, 2026, indicating it has been around for over six months. Evidence suggests that work on the botnet commenced one year before that, when the author cloned the MHDDoS repository from GitHub. "According to the framework's description, the TuxBot developer built what they called a professional-grade C2 framework platform with a multi-user admin panel, automated deployment, and modular attack capabilities," researchers Chris Navarrete, Asher Davila, and Doel Santos said. The Go-based C2 server component uses three different TCP ports for incoming connections - TCP port 1999 (or 31337), which is used for handling encrypted command dispatch to connected bots TCP port 2222, which presents an interactive shell for operators over SSH TCP port 9999, which uses a JSON interface for programmatic access Once launched, the botnet follows a pre-defined initialization sequence to perform a series of actions - Loading the C2 address from a multi-tiered architecture with one primary channel and five alternate mechanisms Setting up anti-debugging and anti-VM protections that check for running analysis tools Hiding its process name Installing persistence Launching various sub-modules to mount DDoS attacks, terminate competing processes, establish C2 channels over IRC, HTTP, DNS, and P2P, run scanners for Telnet, SSH, HTTP, and Android Debug Bridge (ADB), spawn a SOCKS5 proxy, and execute a cryptocurrency mining placeholder The dedicated HTTP scanner, in particular, can manage up to 128 concurrent connections at any given point in time, operating with the goal of discovering vulnerable web interfaces. Persistence, on the other hand, is accomplished by means of a systemd service, cron entries, and a watchdog keepalive process to ensure TuxBot remains operational on the compromised machine. "Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments," Unit42 said. "These comments are the LLM's internal reasoning as it worked through porting tasks. This reasoning is complete with self-interruptions, decisions, and references to 'the user' (meaning the developer who prompted the LLM)." Although TuxBot v3 Evolution is a botnet under development, the core working functions, coupled with its reliance on AI, signal accelerated integration of features, at the same time enabling what looks to be single developer to come up with a multi-pronged toolset with multiple C2 channels, a custom exploit VM, and a Go-based DDoS-for-hire panel. "Shared infrastructure with Kaitori v3.9 and AISURU tooling places the TuxBot operator within the Keksec ecosystem," Unit 42 concluded. "This group is known for running multiple IoT botnet variants in parallel. TuxBot appears to be another variant in that portfolio. It's one that aims to go beyond the usual Mirai fork with its encrypted C2, its DGA, and a modular exploit system, even though that system does not work yet in the version we recovered." The disclosure follows the emergence of two other botnets named RustDuck and AryStinger, which have targeted routers, IP cameras, Android boxes, and poorly secured servers to co-opt them into a network built to render online services offline and conduct reconnaissance. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE artificial intelligence, botnet, brute force attack, Command and Control, Cybercrime, ddos attack, iot security, Malware, network security, Vulnerability ⚡ Top Stories This Week 16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices European Parliament Member Investigating Spyware Was Hacked With Pegasus ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Indicators of Compromise
- malware — TuxBot v3 Evolution
- malware — Mirai
- malware — AISURU
- malware — Wuhan
- url — https://github.com/MHDDoS/MHDDoS