Cyber Security

TuxBot v3 Evolution Shows Signs of IoT Botnet Development Assisted by LLM

Cybersecurity researchers have revealed details of a previously unreported Internet-of-Things (IoT) botnet framework called. TuxBot v3 Evolution showing signs of improvement with the help of the large language model (LLM), although without successful results.

“While the AI ​​complied with their request to generate the botnet code, it included a security statement that the developer failed to remove before deployment,” said Palo Alto Networks Unit 42. “Although the LLM clearly assisted in the creation of the botnet, several functions in the analyzed samples failed to function properly.”

The cybersecurity company said manual code reviews would have resolved these flaws and it is possible that polished replications of the malware existed in the wild.

The botnet framework consists of many components: a C-based bot agent that integrates multiple architectures (e.g., ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V), a Go-based command-and-control (C2) server with a DDoS panel, a custom-based inspection engine, Docucker-explocker. automated build system.

The bot agent is designed to brute force Telnet access to targeted devices with a set of 1,496 authentication pairs, as well as including exploit code that targets more than 30 families of IoT devices that use known vulnerabilities. It communicates with the C2 server via an encrypted TCP channel, while using the SHA512 domain algorithm (DGA), a peer-to-peer (P2P) gossip protocol with Ed25519 signed commands, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling as a fallback mechanism.

The modular framework is traced back to three different botnets, such as Mirai, AISURU, and Wuhan, in addition to porting some of its operations from the open MHDDoS Python DDoS toolkit. At least one sample of the malware was uploaded to the VirusTotal platform on January 20, 2026, indicating that it has been around for more than six months. Evidence suggests that work on the botnet began one year earlier, when the author created an MHDDoS repository from GitHub.

“According to the framework definition, the TuxBot developer has built what they call a professional-level C2 framework platform with a multi-user management panel, automatic deployment, and general attack capabilities,” said researchers Chris Navarrete, Asher Davila, and Doel Santos.

The Go-based C2 server component uses three different TCP ports for incoming connections –

  • TCP port 1999 (or 31337), used to handle sending encrypted command to connected bots
  • TCP port 2222, which launches an interactive shell for operators via SSH
  • TCP port 9999, which uses the JSON interface for structured access

Once launched, the botnet follows a pre-defined activation sequence to perform a series of actions –

  • It loads the C2 address in a multi-phase design with one main channel and five channels
  • Setting up debugging protection and testing VM protection using analysis tools
  • It hides the name of its process
  • It involves persistence
  • Various sub-modules are introduced to install DDoS attacks, stop competing processes, establish C2 channels over IRC, HTTP, DNS, and P2P, use Telnet, SSH, HTTP, and Android Debug Bridge (ADB) scanners, expose a SOCKS5 proxy, and use a proxy for cryptocurrency mining.

A dedicated HTTP scanner, in particular, can handle up to 128 simultaneous connections at any given time, working to detect vulnerable web links. Persistence, on the other hand, is done through the systemd service, cron entries, and the watchdog keepalive process to ensure that TuxBot is always running on the vulnerable machine.

“Many files contain raw LLM ideas left verbatim in comments,” Unit42 said. “These comments are the internal thinking of LLM as he worked on logistics operations. This thinking is complete with self-interference, decisions, and references to the ‘user’ (meaning the engineer informing LLM).

Although TuxBot v3 Evolution is a botnet still under development, the core functionality, coupled with its reliance on AI, is a signal that accelerates the integration of features, while at the same time allowing what appears to be a single developer to come up with a diverse set of tools with multiple C2 channels, a custom exploit VM, and a Go-based DDoS-for-hire panel.

“The shared infrastructure with Kaitori v3.9 and AISURU tools places the TuxBot operator within the Keksec ecosystem,” concludes Unit 42. “This group is known for using many IoT botnet variants in parallel. TuxBot seems to be another option in that portfolio. It is one that aims to bypass the standard Mirai fork with its encrypted C2, its DGA, and system modular exploit, although that system is not yet operational in the version we received.”

This disclosure follows the emergence of two other botnets called RustDuck and AryStinger, which target poorly secured routers, IP cameras, Android boxes, and servers to connect them to a network designed to provide offline Internet services and conduct surveillance.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button