TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

https://thehackernews.com/2026/07/tuxbot-v3-evolution-shows-signs-of-llm.html

Publish Date: 2026-07-15 14:43:00

Source Domain: thehackernews.com

Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results.

“While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping,” Palo Alto Networks Unit 42 said. “Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly.”

The cybersecurity company said a manual code review would have resolved these errors and that it’s possible more polished iterations of the malware exist out there in the wild.

The botnet framework consists of multiple components: a C-based bot agent that cross-compiles for multiple architectures (e.g., ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V), a Go-based command-and-control (C2) server with a DDoS-for-hire panel, a custom exploit virtual machine, Docker-based test infrastructure, and an automated build system.

The bot agent is designed to brute-force Telnet access on targeted devices with a set of 1,496 credential pairs, as well as incorporate exploit code targeting more than 30 IoT device families using known vulnerabilities. It communicates with the C2 server over an encrypted TCP channel, while resorting to a SHA512 domain generation algorithm (DGA), peer-to-peer (P2P) gossip protocol with Ed25519-signed commands, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling as a fallback mechanism.

The modular framework’s lineage has been traced back to three different botnets, like Mirai, AISURU, and Wuhan, in addition to partially porting some of its functions from the open-source MHDDoS Python DDoS toolkit. At least one sample of the malware was uploaded to the VirusTotal platform on January 20, 2026, indicating it has been around for over six months. Evidence…

Source