Cybersecurity researchers have revealed details of a previously unknown Internet-of-Things (IoT) botnet framework dubbed tuxbot v3 evolution It shows signs of being developed with the help of a large language model (LLM), although not with such successful results.
Palo Alto Networks Unit 42 said, “While the AI complied with their request to generate the botnet code, it included a security disclaimer that the developer failed to remove before shipping.” “Although LLM clearly aided in the creation of the botnet, several functions failed to function correctly in the samples analyzed.”
The cybersecurity company said that manual code review would resolve these errors and that it is possible that more sophisticated iterations of the malware exist in the wild.
The botnet framework consists of several components: a C-based bot agent that cross-compiles for multiple architectures (for example, ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V), a Go-based command-and-control (C2) server with a DDoS-for-hire panel, a custom exploit virtual machine, Docker-based test infrastructure, and An automated build system.
The bot agent is designed to brute-force Telnet access to targeted devices with a set of 1,496 credential pairs, as well as exploit code targeting over 30 IoT device families using known vulnerabilities. It communicates with the C2 server over an encrypted TCP channel, while resorting to the SHA512 domain generation algorithm (DGA), peer-to-peer (P2P) gossip protocol with Ed25519-signed commands, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling as a fallback mechanism.
The lineage of the modular framework has been traced to three different botnets such as Mirai, AISURU, and Wuhan, in addition to being partially ported from the open-source MHDDoS Python DDoS toolkit. At least one sample of the malware was uploaded to the VirusTotal platform on January 20, 2026, indicating it has been around for more than six months. Evidence suggests that work on the botnet began a year earlier, when the author cloned the MHDDoS repository from GitHub.
Researchers Chris Navarrete, Asher Davila and Doel Santos said, “According to the framework’s description, the Tuxbot developer has created a professional-grade C2 framework platform with a multi-user admin panel, automated deployment, and modular attack capabilities.”
The Go-based C2 server component uses three different TCP ports for incoming connections –
- TCP port 1999 (or 31337), used to handle encrypted command dispatch to connected bots
- TCP port 2222, which presents an interactive shell for operators over SSH
- TCP port 9999, which uses the JSON interface for programmatic access
Once launched, the botnet follows a pre-defined initialization sequence to execute a series of actions –
- Loading a C2 address from a multi-tier architecture with one primary channel and five alternative mechanisms
- Installing anti-debugging and anti-VM protection that checks running analysis tools
- The name of its process is being hidden
- establish firmness
- Launching various sub-modules to mount DDoS attacks, terminate competing processes, establish C2 channels on IRC, HTTP, DNS and P2P, run scanners for Telnet, SSH, HTTP and Android Debug Bridge (ADB), generate SOCKS5 proxies and execute a cryptocurrency mining placeholder.
The dedicated HTTP scanner, working with the goal of discovering vulnerable web interfaces, can handle up to 128 concurrent connections at any time. On the other hand, persistence is accomplished through a systemd service, cron entries, and a watchdog keepalive process to ensure that Tuxbot remains running on the compromised machine.
Unit42 said, “Many files contain raw LLM thought chain arguments that have been left verbatim in the comments.” “These comments are the internal logic of the LLM as it works through porting functions. This logic is complete with self-interruptions, decisions, and references to the ‘user’ (i.e. the developer invoking the LLM).”
Although TuxBot v3 Evolution is a botnet under development, the core working functions, coupled with its reliance on AI, indicate quick integration of features, with what appears to be a single developer able to come up with a multi-dimensional toolset with multiple C2 channels, a custom exploit VM, and a Go-based DDoS-for-hire panel.
Unit 42 concludes, “The shared infrastructure with Katori v3.9 and AISURU tooling keeps Tuxbot operators within the CakeSec ecosystem.” “This group is known to run multiple IoT botnet variants in parallel. Tuxbot appears to be another variant in that portfolio. It’s one that aims to go beyond the usual Mirai fork with its encrypted C2, its DGA, and a modular exploit system, even if that system doesn’t work yet in the version we recovered.”
The disclosure follows the emergence of two other botnets named RustDuck and AryStinger, which have targeted routers, IP cameras, Android boxes and poorly secured servers to incorporate them into networks designed to provide online services offline and conduct reconnaissance.