Cybersecurity researchers have detailed a newly identified Internet-of-Things (IoT) botnet framework, dubbed TuxBot v3 Evolution. This sophisticated framework exhibits early signs of development aided by a large language model (LLM), though its implementation appears to have been partially unsuccessful, according to a report by Palo Alto Networks Unit 42.
The discovery, which also highlights the potential for AI-assisted malware creation, was made public recently by the cybersecurity firm. Unit 42 noted that while an LLM assisted in generating botnet code, the developer failed to remove a crucial safety disclaimer, revealing the AI’s involvement. Despite the apparent AI assistance, several core functions within the analyzed samples of TuxBot were reportedly non-operational, suggesting a need for manual code refinement.
TuxBot v3 Evolution: A Modular IoT Botnet Framework
The TuxBot framework is a multi-component system designed for widespread network compromise. Its core consists of a C-based bot agent that is engineered for cross-compilation across a diverse range of architectures, including ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V. This broad compatibility allows it to infect a vast array of IoT devices. Complementing the bot agent is a Go-based command-and-control (C2) server, which features a distributed denial-of-service (DDoS)-for-hire panel, a custom exploit virtual machine, Docker-based testing infrastructure, and an automated build system.
The bot agent’s primary method of infiltration involves brute-forcing Telnet credentials, utilizing a database of 1,496 credential pairs. Additionally, it incorporates exploit code targeting over 30 distinct IoT device families by leveraging known vulnerabilities. Communication with the C2 server is secured via an encrypted TCP channel. As a fallback, the botnet employs a SHA512 domain generation algorithm (DGA) for C2 discovery, a peer-to-peer (P2P) gossip protocol with Ed25519-signed commands, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling.
Researchers have traced the modular lineage of TuxBot v3 Evolution back to at least three other known botnets: Mirai, AISURU, and Wuhan. The framework also appears to have partially ported functionalities from the open-source MHDDoS Python DDoS toolkit. Evidence suggests that development on TuxBot began around January 2025, with the author cloning the MHDDoS repository from GitHub over a year prior to a sample being uploaded to VirusTotal on January 20, 2026, indicating it has been active for at least six months.
According to the analysis by researchers Chris Navarrete, Asher Davila, and Doel Santos, the developer of TuxBot aimed to create a “professional-grade C2 framework platform.” This platform was intended to include a multi-user administration panel, automated deployment capabilities, and modular attack functionalities, facilitating a wide range of malicious activities.
Command and Control Infrastructure
The Go-based C2 server of TuxBot utilizes three distinct TCP ports for incoming connections. TCP port 1999 (or 31337) serves for dispatching commands to connected bots over an encrypted channel. TCP port 2222 provides operators with an interactive shell connection via SSH, offering direct remote access. A third port, TCP port 9999, is configured with a JSON interface, enabling programmatic access and automation for managing the botnet.
Upon activation, the TuxBot botnet initiates a predefined sequence of actions. It begins by loading the C2 address from a multi-tiered architecture featuring a primary communication channel and five alternative mechanisms. Subsequently, it establishes anti-debugging and anti-virtual machine protections to evade analysis tools. The bot then proceeds to disguise its process name, installs itself for persistence on the compromised device, and activates various sub-modules. These modules are designed to launch DDoS attacks, terminate rival processes, establish redundant C2 channels through IRC, HTTP, DNS, and P2P networks, scan for vulnerable services like Telnet, SSH, HTTP, and Android Debug Bridge (ADB), create a SOCKS5 proxy, and deploy a placeholder for cryptocurrency mining.
The HTTP scanner component is particularly noteworthy, capable of managing up to 128 concurrent connections to discover vulnerable web interfaces. Persistence on infected machines is achieved through multiple methods, including systemd services, cron job entries, and a watchdog keepalive process, ensuring the botnet remains operational and resilient to system reboots.
LLM Influence and Potential
Palo Alto Networks Unit 42 researchers uncovered direct evidence of LLM involvement, stating, “Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments.” These comments reveal the AI’s internal decision-making processes and thought patterns as it assisted the developer with porting tasks, including instances of self-interruption and direct references to “the user” who prompted the LLM. This provides a rare, unfiltered look into the code generation process.
Although TuxBot v3 Evolution is still in its developmental stages, its foundational working components, combined with the reported AI assistance, suggest a potential for accelerated feature integration. This AI influence could enable a single developer to construct a comprehensive toolset that includes multiple C2 channels, a custom exploit virtual machine, and a sophisticated Go-based DDoS-for-hire panel.
Furthermore, Unit 42 concluded that shared infrastructure with Kaitori v3.9 and AISURU tooling places the TuxBot operator within the Keksec ecosystem. This group is known for concurrently operating multiple IoT botnet variants, with TuxBot appearing to be another addition to their portfolio. It distinguishes itself from typical Mirai forks by incorporating encrypted C2, DGA capabilities, and a modular exploit system, even though the latter was not fully functional in the recovered version.
The emergence of TuxBot v3 Evolution follows recent reports of other botnets like RustDuck and AryStinger, which have targeted routers, IP cameras, Android boxes, and unsecured servers. These botnets aim to co-opt compromised devices into large networks for disruptive online service takedowns and reconnaissance activities. The ongoing development and potential for more polished, AI-assisted malware like TuxBot signal a concerning trend in the evolution of IoT threats, underscoring the constant need for enhanced IoT security measures and vigilance against emerging attack vectors.

