- Cybersecurity researchers at Palo Alto Networks Unit 42 discovered a new IoT botnet framework called TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM).
- The botnet includes a cryptocurrency mining placeholder module, encrypted command-and-control channels, and a modular exploit system targeting over 30 IoT device families.
- Despite the LLM’s help, several functions in the analyzed samples fail to work correctly, and the developer left the AI’s safety disclaimer and chain-of-thought reasoning in the code.
- The botnet shares infrastructure with the Keksec ecosystem, which is known for running multiple IoT botnet variants in parallel.
Cybersecurity researchers at Palo Alto Networks Unit 42 have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results. “While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping,” the researchers said.
The botnet framework consists of a C-based bot agent cross-compiling for multiple architectures, a Go-based command-and-control (C2) server with a DDoS-for-hire panel, a custom exploit virtual machine, and an automated build system. The bot agent brute-forces Telnet access on targeted devices with 1,496 credential pairs and incorporates exploit code targeting more than 30 IoT device families using known vulnerabilities.
Among its many sub-modules, the botnet includes a cryptocurrency mining placeholder, along with encrypted C2 communication, a SHA512 domain generation algorithm, and a peer-to-peer gossip protocol. The modular framework’s lineage has been traced back to botnets like Mirai, AISURU, and Wuhan, with some functions partially ported from the open-source MHDDoS Python DDoS toolkit.
Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments, which include self-interruptions and references to “the user.” Unit 42 concluded that shared infrastructure with Kaitori v3.9 and AISURU tooling places the TuxBot operator within the Keksec ecosystem, a group known for running multiple IoT botnet variants in parallel.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
