TuxBot v3 Evolution: A Botnet with AI-Assisted Development
Cybersecurity researchers have recently unveiled details about TuxBot v3 Evolution, a previously undisclosed Internet-of-Things (IoT) botnet framework that exhibits signs of being developed with the aid of a large language model (LLM). While the integration of AI in its development is notable, the botnet's current iteration is marred by functional issues, suggesting that the developer failed to address errors in the AI-generated code.
According to Palo Alto Networks Unit 42, the botnet framework includes several components:
- A C-based bot agent that cross-compiles for multiple architectures (e.g., ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V).
- A Go-based command-and-control (C2) server with a DDoS-for-hire panel.
- A custom exploit virtual machine.
- Docker-based test infrastructure.
- An automated build system.
The bot agent is designed to brute-force Telnet access on targeted devices using a set of 1,496 credential pairs. It also incorporates exploit code targeting over 30 IoT device families using known vulnerabilities. Communication with the C2 server occurs over an encrypted TCP channel, with fallback mechanisms including SHA512 domain generation algorithm (DGA), peer-to-peer (P2P) gossip protocol, IRC, DNS TXT queries, and HTTP polling.
Tracing the Origins of TuxBot
Researchers have traced TuxBot's lineage to three different botnets: Mirai, AISURU, and Wuhan. Additionally, some of its functions appear to have been ported from the open-source MHDDoS Python DDoS toolkit. The earliest known sample of the malware was uploaded to VirusTotal on January 20, 2026, indicating that the botnet has been in development for at least six months. Evidence suggests that work on TuxBot began a year earlier when the developer cloned the MHDDoS repository from GitHub.
The Go-based C2 server component uses three TCP ports for incoming connections:
- TCP port 1999 (or 31337): Handles encrypted command dispatch to connected bots.
- TCP port 2222: Provides an interactive shell for operators over SSH.
- TCP port 9999: Uses a JSON interface for programmatic access.
Once launched, the botnet follows a predefined initialization sequence to perform a series of actions, including loading the C2 address, setting up anti-debugging and anti-VM protections, hiding its process name, installing persistence, and launching sub-modules for DDoS attacks, competing process termination, and cryptocurrency mining.
AI's Role in TuxBot's Development
The researchers noted that multiple files within the botnet contain raw LLM chain-of-thought reasoning in comments, indicating that the AI assisted in porting tasks. These comments reveal the AI's internal reasoning, including self-interruptions, decisions, and references to the developer. Despite the AI's involvement, several functions in the analyzed samples failed to work correctly, highlighting the need for manual code review.
"While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping," said Unit 42. This oversight suggests that more polished versions of the malware may exist in the wild.
Ties to the Keksec Ecosystem
The researchers concluded that TuxBot shares infrastructure with Kaitori v3.9 and AISURU tooling, placing the botnet within the Keksec ecosystem. Keksec is known for operating multiple IoT botnet variants simultaneously. TuxBot appears to be another variant in this portfolio, aiming to surpass typical Mirai forks with its encrypted C2, DGA, and modular exploit system, even though the current version is not fully functional.
Broader Implications
The discovery of TuxBot v3 Evolution follows the emergence of other botnets like RustDuck and AryStinger, which have targeted routers, IP cameras, Android boxes, and poorly secured servers to co-opt them into networks designed for DDoS attacks and reconnaissance. The use of AI in botnet development raises concerns about the accelerated integration of advanced features, enabling even single developers to create sophisticated, multi-pronged toolsets.
Conclusion
TuxBot v3 Evolution represents a significant step in the evolution of IoT botnets, showcasing the potential of AI-assisted development in cybersecurity threats. While the current version of the botnet contains functional flaws, its advanced features and ties to the Keksec ecosystem underscore the growing complexity of modern malware. As AI continues to play a role in both offensive and defensive cybersecurity strategies, the need for vigilant monitoring and advanced countermeasures becomes increasingly critical.