Researchers uncovered TuxBot v3 Evolution, a modular IoT botnet framework whose developers used an LLM to help generate code, leaving behind safety disclaimers, reasoning comments, and several broken features. The framework includes a Go-based C2 panel, encrypted bot communications, DDoS capabilities, multi-architecture binaries, and infrastructure linked to the Keksec/Kaitori and AISURU ecosystems. #TuxBot #Akiru #Keksec #Kaitori #AISURU
Keypoints
- TuxBot v3 Evolution is a previously undocumented modular IoT botnet framework recovered from internal telemetry and source archives.
- The malware developers used an LLM heavily during development, which helped generate botnet code but also introduced bugs, hallucinated cryptography, and leftover safety disclaimers.
- The framework includes a C-based bot agent, a Go-based C2 server with a DDoS-for-hire panel, a custom exploit VM, Docker/QEMU test infrastructure, and an automated build system.
- Core functions such as Telnet brute-forcing, encrypted primary C2, DDoS execution, persistence, stealth, and multi-architecture compilation work, while several exploit and fallback C2 components are broken.
- The bot uses 1,496 Telnet credential pairs, supports scanners for Telnet, SSH, HTTP, PHP-based apps, and ADB, and shows the console banner âInfected By Akiru.â
- Infrastructure and code artifacts connect the operation to 209.182.237[.]133, 185.10.68[.]127, digikalas[.]online, jetross[.]com, and broader Keksec/Kaitori/AISURU ecosystems.
- The recovered samples show active development into 2026, including benchmark testing, VirusTotal appearances, and multiple architecture-specific binaries.
MITRE Techniques
- [T1078 ] Valid Accounts â The bot brute-forces Telnet access using 1,496 credential pairs against targeted devices (âThe bot agent brute-forces Telnet access on targeted devices with 1,496 credential pairsâ).
- [T1110.001 ] Brute Force: Password Guessing â It attempts large-scale login guessing over Telnet, SSH, HTTP, and ADB scanners (âscanners (Telnet, SSH, HTTP, PHP-based application, ADB)â).
- [T1071.001 ] Application Layer Protocol: Web Protocols â The bot uses HTTP polling and HTTP-based exploit/scanning traffic (âHTTP pollingâ, âthe HTTP scanner operates as an isolated child processâ).
- [T1071.003 ] Application Layer Protocol: Mail Protocols â It uses IRC as a fall-back C2 channel for commands (âIRCâ, âjoins a channel (default #tuxbot)â).
- [T1095 ] Non-Application Layer Protocol â The primary C2 uses encrypted TCP communications with custom packet framing (âThe bot connects to the C2 server on TCP port 1999 ⌠Each encrypted packet has the following formatâ).
- [T1027 ] Obfuscated Files or Information â Sensitive strings are XOR-encrypted and decrypted at runtime (âTuxBot stores sensitive strings ⌠in an XOR-encrypted table that it decrypts at runtimeâ).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools â The competitor killer scans for rival malware and kills matches (âScans of /proc for memory signatures of Mirai, QBOT, Vamp, Anime and dvrHelperâ).
- [T1014 ] Rootkit â The bot hides its process name and uses stealth mechanisms to evade notice (âHiding its process nameâ, âStealth (process mimicry/relocation/anti-VM)â).
- [T1112 ] Modify Registry â Not mentioned.
- [T1090 ] Proxy â The bot includes a SOCKS5 proxy as part of its subsystem set (âA SOCKS5 proxyâ).
- [T1496 ] Resource Hijacking â The framework includes a mining placeholder (âThe mining placeholderâ).
- [T1498 ] Network Denial of Service â It implements multiple flood-based attack handlers and DDoS-for-hire functions (âattack_udp_generic_optimizedâ, âattack_tcp_syn_optimizedâ, âDDoS-for-hire panelâ).
- [T1059 ] Command and Scripting Interpreter â The C2 panel accepts operator commands like !method target duration (âissue attack commands in the format !method target durationâ).
- [T1021.004 ] Remote Services: SSH â The C2 server exposes an SSH admin shell on TCP 2222 (âThe second listener is an SSH server on TCP port 2222 that presents an interactive shell for operatorsâ).
- [T1204 ] User Execution â Not mentioned.
- [T1211 ] Exploitation for Defense Evasion â The bot includes exploit code targeting more than 30 IoT device families (âcontains exploit code targeting more than 30 IoT device familiesâ).
- [T1021.001 ] Remote Services: Telnet â Telnet is used as the primary infection vector (âbrute-forces Telnet accessâ).
- [T1027.004 ] File and Directory Discovery â The anti-VM logic checks DMI, MAC prefixes, and tools in the environment (âDMI file checks for VMware/VirtualBox/QEMUâ, âChecks for running analysis toolsâ).
- [T1046 ] Network Service Scanning â The bot includes scanners and brute-force web probing against services (âTelnet, SSH, HTTP, PHP-based application, ADBâ).
Indicators of Compromise
- [SHA256 hash ] Malicious TuxBot binaries and samples â 71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d, 6b7a8e0c96c2318e747f074f9a99d26738700769ac01bba692d19fc884847737
- [File names ] Compiled binaries and samples â tuxbot.x86_64, .bot_x86_64, tuxbot.arm64, and other architecture-specific builds
- [IP addresses ] C2 and dropper infrastructure â 209.182.237[.]133, 185.10.68[.]127, and 154.6.197[.]43
- [Ports ] C2 and service listeners â 1999, 2222, 31337, and 9999
- [Domains ] Framework and infrastructure domains â c2.tuxbot.local, digikalas[.]online, jetross[.]com
- [URL paths ] Payload and dead-code download paths â /bins/bot., hxxp[:]//188.166.2[.]226/OwO/Tsunami.x86, hxxp[:]//127.0.0[.]1/cmd
- [User-Agent strings ] Network beacons and inherited artifacts â TuxBot, r00ts3c-owned-you
- [Host artifacts ] Infection and persistence markers â Infected By Akiru, sd-pam.service, /tmp/.%08x.lock
- [Protocol markers ] C2 and packet formats â 0xDEADBE01, 0xDEADBEEF, SSH-2.0-CNC-Control-Server
- [Additional hashes ] Other recovered binaries â and 15 more SHA256 hashes from multi-architecture samples
Read more: https://unit42.paloaltonetworks.com/tuxbot-v3-evolution-iot-botnet/