Cybersecurity experts have uncovered details about an emerging IoT botnet framework known as TuxBot v3 Evolution. This botnet appears to be developed with the aid of a large language model (LLM), although the results have been somewhat mixed. Researchers at Palo Alto Networks’ Unit 42 revealed that while the AI-generated code, it did so with a safety disclaimer that the developers neglected to remove, resulting in some non-functional features.
AI’s Role in Botnet Development
The assistance of AI in developing TuxBot v3 Evolution was clear, yet the execution was flawed. According to Unit 42, a manual review could have corrected these issues, suggesting that more refined versions of the malware might exist. The botnet framework includes a variety of components: a C-based bot agent that supports multiple architectures, a Go-based C2 server with DDoS-for-hire capabilities, and a Docker-based test infrastructure.
The bot agent is crafted to brute-force Telnet access on targeted devices using 1,496 credential pairs and exploits vulnerabilities across over 30 IoT device families. It communicates with its C2 server via an encrypted TCP channel, employing a SHA512 domain generation algorithm and other protocols as fallback mechanisms.
Technical Specifications and Lineage
TuxBot’s modular framework has roots in several botnets, including Mirai, AISURU, and Wuhan, with some functions adapted from the MHDDoS Python DDoS toolkit. A sample of this malware was uploaded to VirusTotal on January 20, 2026, indicating its presence for over six months. Evidence points to the botnet’s development beginning when its author cloned the MHDDoS repository from GitHub.
The Go-based C2 server uses three TCP ports for different purposes: handling encrypted commands, providing an interactive shell, and offering programmatic access. The botnet follows a specific sequence upon launch, loading C2 addresses, setting up anti-debugging measures, and launching various sub-modules for DDoS attacks and more.
Current Status and Future Implications
Despite being a work in progress, TuxBot v3 Evolution showcases the potential of AI-enhanced development, allowing a single developer to create a sophisticated toolset. It shares infrastructure with other botnets within the Keksec ecosystem, known for running multiple IoT botnet variants. TuxBot aims to extend beyond typical Mirai forks with its encrypted C2 and modular exploit system, even though the latter is not yet fully operational.
This discovery coincides with the recent appearance of two other botnets, RustDuck and AryStinger, targeting vulnerable devices to disrupt online services and perform reconnaissance. The ongoing development of TuxBot v3 highlights the evolving landscape of cybersecurity threats, underscoring the need for vigilant monitoring and innovative defense strategies.
