Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label AI-generated malware. Show all posts

AI-Assisted TuxBot v3 Evolution Botnet Targets IoT Devices With Modular Multi-Channel Attack Framework


Cybersecurity researchers have uncovered a previously undocumented Internet of Things (IoT) botnet framework named TuxBot v3 Evolution, which appears to have been partially developed with the help of a large language model (LLM). However, researchers found that the AI-assisted code contained multiple implementation flaws, indicating the malware is still under development.

"While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping," Palo Alto Networks Unit 42 said. "Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly."

According to Palo Alto Networks' Unit 42 researchers, a manual review of the code could have easily corrected many of these issues, suggesting that more refined versions of the malware may already exist in the wild.

The TuxBot v3 Evolution framework is built using several interconnected components, including a C-based bot agent capable of cross-compiling across architectures such as ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V. It also features a Go-based command-and-control (C2) server equipped with a DDoS-for-hire management panel, a custom exploit virtual machine, Docker-based testing infrastructure, and an automated build system.

The bot agent is designed to brute-force Telnet credentials using a database of 1,496 username-password combinations while exploiting known vulnerabilities affecting more than 30 IoT device families. For communication, the malware relies on an encrypted TCP channel and incorporates multiple fallback mechanisms, including a SHA512-based domain generation algorithm (DGA), peer-to-peer (P2P) gossip protocol secured with Ed25519 signatures, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling.

Researchers traced the botnet's origins to code borrowed from multiple malware families, including Mirai, AISURU, and Wuhan, while also identifying portions adapted from the open-source MHDDoS Python DDoS toolkit. One malware sample was uploaded to VirusTotal on January 20, 2026, indicating the framework has existed for at least six months. Evidence also suggests development began approximately a year earlier after the threat actor cloned the MHDDoS repository from GitHub.

"According to the framework's description, the TuxBot developer built what they called a professional-grade C2 framework platform with a multi-user admin panel, automated deployment, and modular attack capabilities," researchers Chris Navarrete, Asher Davila, and Doel Santos said.

The Go-based C2 server listens on three separate TCP ports to perform different functions. Port 1999 (or 31337) handles encrypted communication with infected bots, port 2222 provides operators with an interactive SSH shell, and port 9999 offers a JSON-based interface for programmatic management.

After infecting a device, TuxBot executes a structured initialization process. This includes retrieving the C2 address through a multi-layered communication system, activating anti-debugging and anti-virtual machine protections, concealing its process name, establishing persistence, and launching several attack modules.

These modules support distributed denial-of-service (DDoS) attacks, terminate competing malware, establish communications through IRC, HTTP, DNS, and P2P channels, scan services including Telnet, SSH, HTTP, and Android Debug Bridge (ADB), deploy a SOCKS5 proxy, and reserve functionality for cryptocurrency mining.

Researchers also found that the malware's HTTP scanner is capable of maintaining up to 128 concurrent connections to identify vulnerable web interfaces. Persistence mechanisms include systemd services, cron jobs, and watchdog processes that ensure the malware remains active even after system reboots.

"Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments," Unit42 said. "These comments are the LLM's internal reasoning as it worked through porting tasks. This reasoning is complete with self-interruptions, decisions, and references to 'the user' (meaning the developer who prompted the LLM)."

Although TuxBot v3 Evolution remains an unfinished project, researchers believe its modular architecture and AI-assisted development demonstrate how threat actors can rapidly build sophisticated malware with limited resources. The framework combines multiple C2 communication channels, a custom exploit virtual machine, and a Go-based DDoS-for-hire panel into a single platform.

"Shared infrastructure with Kaitori v3.9 and AISURU tooling places the TuxBot operator within the Keksec ecosystem," Unit 42 concluded. "This group is known for running multiple IoT botnet variants in parallel. TuxBot appears to be another variant in that portfolio. It's one that aims to go beyond the usual Mirai fork with its encrypted C2, its DGA, and a modular exploit system, even though that system does not work yet in the version we recovered."

The findings come shortly after researchers identified two additional botnets, RustDuck and AryStinger, which have been targeting routers, IP cameras, Android TV boxes, and inadequately secured servers to build networks capable of launching DDoS attacks and conducting reconnaissance activities.