TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development

TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development

Researchers uncovered TuxBot v3 Evolution, a modular IoT botnet framework whose developers used an LLM to help generate code, leaving behind safety disclaimers, reasoning comments, and several broken features. The framework includes a Go-based C2 panel, encrypted bot communications, DDoS capabilities, multi-architecture binaries, and infrastructure linked to the Keksec/Kaitori and AISURU ecosystems. #TuxBot #Akiru #Keksec #Kaitori #AISURU

Keypoints

  • TuxBot v3 Evolution is a previously undocumented modular IoT botnet framework recovered from internal telemetry and source archives.
  • The malware developers used an LLM heavily during development, which helped generate botnet code but also introduced bugs, hallucinated cryptography, and leftover safety disclaimers.
  • The framework includes a C-based bot agent, a Go-based C2 server with a DDoS-for-hire panel, a custom exploit VM, Docker/QEMU test infrastructure, and an automated build system.
  • Core functions such as Telnet brute-forcing, encrypted primary C2, DDoS execution, persistence, stealth, and multi-architecture compilation work, while several exploit and fallback C2 components are broken.
  • The bot uses 1,496 Telnet credential pairs, supports scanners for Telnet, SSH, HTTP, PHP-based apps, and ADB, and shows the console banner “Infected By Akiru.”
  • Infrastructure and code artifacts connect the operation to 209.182.237[.]133, 185.10.68[.]127, digikalas[.]online, jetross[.]com, and broader Keksec/Kaitori/AISURU ecosystems.
  • The recovered samples show active development into 2026, including benchmark testing, VirusTotal appearances, and multiple architecture-specific binaries.

MITRE Techniques

  • [T1078 ] Valid Accounts – The bot brute-forces Telnet access using 1,496 credential pairs against targeted devices (‘The bot agent brute-forces Telnet access on targeted devices with 1,496 credential pairs’).
  • [T1110.001 ] Brute Force: Password Guessing – It attempts large-scale login guessing over Telnet, SSH, HTTP, and ADB scanners (‘scanners (Telnet, SSH, HTTP, PHP-based application, ADB)’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – The bot uses HTTP polling and HTTP-based exploit/scanning traffic (‘HTTP polling’, ‘the HTTP scanner operates as an isolated child process’).
  • [T1071.003 ] Application Layer Protocol: Mail Protocols – It uses IRC as a fall-back C2 channel for commands (‘IRC’, ‘joins a channel (default #tuxbot)’).
  • [T1095 ] Non-Application Layer Protocol – The primary C2 uses encrypted TCP communications with custom packet framing (‘The bot connects to the C2 server on TCP port 1999 … Each encrypted packet has the following format’).
  • [T1027 ] Obfuscated Files or Information – Sensitive strings are XOR-encrypted and decrypted at runtime (‘TuxBot stores sensitive strings … in an XOR-encrypted table that it decrypts at runtime’).
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – The competitor killer scans for rival malware and kills matches (‘Scans of /proc for memory signatures of Mirai, QBOT, Vamp, Anime and dvrHelper’).
  • [T1014 ] Rootkit – The bot hides its process name and uses stealth mechanisms to evade notice (‘Hiding its process name’, ‘Stealth (process mimicry/relocation/anti-VM)’).
  • [T1112 ] Modify Registry – Not mentioned.
  • [T1090 ] Proxy – The bot includes a SOCKS5 proxy as part of its subsystem set (‘A SOCKS5 proxy’).
  • [T1496 ] Resource Hijacking – The framework includes a mining placeholder (‘The mining placeholder’).
  • [T1498 ] Network Denial of Service – It implements multiple flood-based attack handlers and DDoS-for-hire functions (‘attack_udp_generic_optimized’, ‘attack_tcp_syn_optimized’, ‘DDoS-for-hire panel’).
  • [T1059 ] Command and Scripting Interpreter – The C2 panel accepts operator commands like !method target duration (‘issue attack commands in the format !method target duration’).
  • [T1021.004 ] Remote Services: SSH – The C2 server exposes an SSH admin shell on TCP 2222 (‘The second listener is an SSH server on TCP port 2222 that presents an interactive shell for operators’).
  • [T1204 ] User Execution – Not mentioned.
  • [T1211 ] Exploitation for Defense Evasion – The bot includes exploit code targeting more than 30 IoT device families (‘contains exploit code targeting more than 30 IoT device families’).
  • [T1021.001 ] Remote Services: Telnet – Telnet is used as the primary infection vector (‘brute-forces Telnet access’).
  • [T1027.004 ] File and Directory Discovery – The anti-VM logic checks DMI, MAC prefixes, and tools in the environment (‘DMI file checks for VMware/VirtualBox/QEMU’, ‘Checks for running analysis tools’).
  • [T1046 ] Network Service Scanning – The bot includes scanners and brute-force web probing against services (‘Telnet, SSH, HTTP, PHP-based application, ADB’).

Indicators of Compromise

  • [SHA256 hash ] Malicious TuxBot binaries and samples – 71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d, 6b7a8e0c96c2318e747f074f9a99d26738700769ac01bba692d19fc884847737
  • [File names ] Compiled binaries and samples – tuxbot.x86_64, .bot_x86_64, tuxbot.arm64, and other architecture-specific builds
  • [IP addresses ] C2 and dropper infrastructure – 209.182.237[.]133, 185.10.68[.]127, and 154.6.197[.]43
  • [Ports ] C2 and service listeners – 1999, 2222, 31337, and 9999
  • [Domains ] Framework and infrastructure domains – c2.tuxbot.local, digikalas[.]online, jetross[.]com
  • [URL paths ] Payload and dead-code download paths – /bins/bot., hxxp[:]//188.166.2[.]226/OwO/Tsunami.x86, hxxp[:]//127.0.0[.]1/cmd
  • [User-Agent strings ] Network beacons and inherited artifacts – TuxBot, r00ts3c-owned-you
  • [Host artifacts ] Infection and persistence markers – Infected By Akiru, sd-pam.service, /tmp/.%08x.lock
  • [Protocol markers ] C2 and packet formats – 0xDEADBE01, 0xDEADBEEF, SSH-2.0-CNC-Control-Server
  • [Additional hashes ] Other recovered binaries – and 15 more SHA256 hashes from multi-architecture samples


Read more: https://unit42.paloaltonetworks.com/tuxbot-v3-evolution-iot-botnet/