Threat Intelligence

New TuxBot v3 Evolution IoT botnet framework shows signs of AI development

As detailed in The Hacker News, cybersecurity researchers have uncovered a new Internet-of-Things (IoT) botnet framework named TuxBot v3 Evolution. This framework exhibits characteristics suggesting it was developed with the assistance of a large language model (LLM), though the AI's contributions appear to have had mixed success.

Palo Alto Networks Unit 42 reported that while the LLM generated botnet code, it included an unremoved safety disclaimer. Several functions in the analyzed samples failed to operate correctly, indicating potential flaws in the AI-assisted development process. The botnet framework is modular, featuring a C-based bot agent supporting multiple architectures, a Go-based command-and-control (C2) server with a DDoS-for-hire panel, and an exploit virtual machine. The bot agent attempts to brute-force Telnet access using a large set of credentials and exploits over 30 IoT device families. Communication with the C2 server is encrypted, with fallback mechanisms including a SHA512 domain generation algorithm and a peer-to-peer protocol.

Tracing its lineage to botnets like Mirai and AISURU, TuxBot v3 Evolution also incorporates code from the MHDDoS Python toolkit. Evidence suggests development began around January 2025. The C2 server uses specific TCP ports for command dispatch, an interactive SSH shell, and programmatic access via a JSON interface. The botnet's initialization sequence includes anti-debugging measures, persistence installation, and launching of various attack modules. The framework's reliance on AI, despite its current flaws, signals a potential acceleration in feature integration for botnet development, enabling single developers to create complex toolsets. TuxBot is believed to be part of the Keksec ecosystem, known for operating multiple parallel IoT botnets.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds