A criminal developer built a new botnet with heavy help from an AI chatbot, and did such a rushed job that the assistant's own safety disclaimer was left sitting inside the shipped malware. Researchers at Palo Alto Networks Unit 42 recovered the framework, which they call TuxBot v3 Evolution, along with its full source code, and found the fingerprints of large language model assistance throughout it.
Why this matters
The AI angle cuts both ways. The chatbot complied with a request to generate botnet code, but it also left behind tells that betrayed the shortcut. Unit 42 found the model's raw chain-of-thought reasoning pasted verbatim into source files, hallucinated cryptographic routines the developer shipped without checking, and a leftover safety warning the author never removed. Roughly 30 percent of the framework simply does not work as a result. The concerning part, the researchers note, is that they were able to repair several of the broken features with a few targeted AI prompts, meaning a slightly more careful operator could turn this into a far more capable weapon with minimal effort.
What TuxBot can do
TuxBot is a modular framework for assembling an army of hacked Internet-of-Things devices. Its bot agent cross-compiles for 17 processor architectures, from ARM and MIPS to x86_64, PowerPC, and RISC-V, brute-forces Telnet logins using a list of 1,496 credential pairs, and carries exploit code aimed at more than 30 families of IoT devices. A Go-based command-and-control server ships with a distributed denial-of-service (DDoS) for-hire panel, and the malware falls back across several resilient channels, including a domain-generation algorithm, peer-to-peer gossip, IRC, and DNS queries, if its primary server is lost. Infected devices display the banner "Infected By Akiru," and Unit 42 links the operation to the established Keksec botnet ecosystem, with development artifacts pointing to an Iranian-hosted workstation.
What you should do
Old-school hygiene still works against it: change default Telnet and SSH passwords on routers, cameras, and other connected devices, apply firmware updates that fix long-known IoT bugs such as CVE-2022-1388, and isolate IoT gear from sensitive parts of your network. TuxBot is the latest sign that attackers are folding AI into their toolchains, following cases like a lone operator who ran a live botnet through Google's AI and a DDoS botnet that rewrote itself in Rust.
Indicators of compromise (defanged)
- C2 server: 209[.]182[.]237[.]133 (SSH banner CNC-Control-Server)
- Linked infrastructure: 185[.]10[.]68[.]127
- Developer domain: digikalas[.]online
- Early sample (SHA256): 71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.