TuxBot v3 Evolution: An AI-Assisted IoT Botnet With Unresolved Flaws
Cybersecurity researchers have unveiled details of **TuxBot v3 Evolution**, a new Internet-of-Things (IoT) botnet framework that appears to have been developed with the assistance of a large language model (LLM). While showing ambition with advanced features, the botnet exhibits critical functional flaws, including unremoved LLM safety disclaimers and non-operational components.

Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed **TuxBot v3 Evolution**. This new threat shows signs of being developed with assistance from a large language model (LLM), albeit with not-so-successful results.
"While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping," **Palo Alto Networks Unit 42** said. "Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly."
The cybersecurity company noted that a manual code review would have resolved these errors, suggesting that more polished iterations of the malware might exist in the wild.
### Architectural Overview of TuxBot
The botnet framework comprises multiple sophisticated components:
* A C-based bot agent that cross-compiles for various architectures (e.g., ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V).
* A Go-based command-and-control (C2) server featuring a DDoS-for-hire panel.
* A custom exploit virtual machine.
* Docker-based test infrastructure.
* An automated build system.
### Bot Agent Capabilities
The bot agent is designed to brute-force Telnet access on targeted devices using a set of 1,496 credential pairs. It also incorporates exploit code targeting over 30 IoT device families leveraging known vulnerabilities. Communication with the C2 server occurs over an encrypted TCP channel, with fallback mechanisms including a **SHA512** domain generation algorithm (DGA), a peer-to-peer (P2P) gossip protocol with **Ed25519**-signed commands, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling.
### Tracing the Botnet's Lineage
The modular framework's lineage has been traced back to three distinct botnets: **Mirai**, **AISURU**, and **Wuhan**. It also partially ports functions from the open-source **MHDDoS** Python DDoS toolkit. At least one sample of the malware was uploaded to the **VirusTotal** platform on January 20, 2026, indicating its presence for over six months. Evidence suggests development commenced a year prior, when the author cloned the **MHDDoS** repository from **GitHub**.
"According to the framework's description, the **TuxBot** developer built what they called a professional-grade C2 framework platform with a multi-user admin panel, automated deployment, and modular attack capabilities," stated researchers Chris Navarrete, Asher Davila, and Doel Santos.
### Command-and-Control Server Details
The Go-based C2 server component utilizes three distinct TCP ports for incoming connections:
* **TCP port 1999** (or 31337): Used for handling encrypted command dispatch to connected bots.
* **TCP port 2222**: Presents an interactive shell for operators over SSH.
* **TCP port 9999**: Employs a JSON interface for programmatic access.

### Botnet Initialization and Functionality
Upon launch, the botnet executes a pre-defined initialization sequence to perform a series of actions:
* Loading the C2 address from a multi-tiered architecture with a primary channel and five alternate mechanisms.
* Setting up anti-debugging and anti-VM protections to detect analysis tools.
* Hiding its process name.
* Installing persistence.
* Launching various sub-modules to mount DDoS attacks, terminate competing processes, establish C2 channels over IRC, HTTP, DNS, and P2P, run scanners for Telnet, SSH, HTTP, and Android Debug Bridge (**ADB**), spawn a SOCKS5 proxy, and execute a cryptocurrency mining placeholder.
The dedicated HTTP scanner can manage up to 128 concurrent connections, aiming to discover vulnerable web interfaces. Persistence is achieved via a systemd service, cron entries, and a watchdog keepalive process, ensuring **TuxBot** remains operational on compromised machines.
### The LLM's Footprint
"Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments," **Unit 42** reported. "These comments are the LLM's internal reasoning as it worked through porting tasks. This reasoning is complete with self-interruptions, decisions, and references to 'the user' (meaning the developer who prompted the LLM)."
While **TuxBot v3 Evolution** is still under development, its core functions, coupled with its reliance on AI, indicate an accelerated integration of features. This approach enables what appears to be a single developer to create a multi-pronged toolset with multiple C2 channels, a custom exploit VM, and a Go-based DDoS-for-hire panel.
### Association with the Keksec Ecosystem
"Shared infrastructure with **Kaitori v3.9** and **AISURU** tooling places the **TuxBot** operator within the **Keksec** ecosystem," **Unit 42** concluded. "This group is known for running multiple IoT botnet variants in parallel. **TuxBot** appears to be another variant in that portfolio. It's one that aims to go beyond the usual **Mirai** fork with its encrypted C2, its DGA, and a modular exploit system, even though that system does not work yet in the version we recovered."
This disclosure follows the emergence of other botnets like **RustDuck** and **AryStinger**, which have targeted routers, IP cameras, Android boxes, and poorly secured servers for DDoS attacks and reconnaissance.