Threat Actor Abuses Google Gemini CLI as Hacking Agent and Botnet Controller
A Russian-speaking threat actor has weaponized Google's open-source Gemini CLI AI tool, using it as a sophisticated hacking agent to manage a botnet and compromise sensitive data.

A sophisticated threat actor, identified as "bandcampro," has been observed leveraging Google's open-source Gemini Command Line Interface (CLI) AI tool for malicious purposes, acting as both a hacking agent and a controller for a small-scale botnet. This marks a significant development in the ongoing trend of threat actors co-opting legitimate AI technologies for cybercrime.
The actor engaged with the Gemini CLI in over 200 sessions between May 19 and April 21, utilizing its capabilities to troubleshoot issues, propose operational improvements, and manage an infrastructure that compromised eight systems within a dental clinic, ultimately gaining access to the OpenDental database. The AI was prompted to assume the role of an "authorized pen tester," operating without safety disclaimers and automatically saving any credentials it encountered.
Trend Micro researchers detailed how "bandcampro" used the Gemini CLI to orchestrate a migration of the botnet's command-and-control (C2) infrastructure. Starting with a simple instruction to "Study the C2 migration," the AI processed a provided guide and generated all necessary steps and code for the transition. This complex process, including architecture setup, coding, VPS deployment, Cloudflare configuration, and initial debugging, was completed by the AI in a mere six minutes.
Following the migration, when some infected machines failed to reconnect, the AI diagnosed the issue as conflicting traffic between the old and new servers. Once the actor shut down the legacy server, all bots successfully reconnected, demonstrating the AI's diagnostic and problem-solving capabilities in a live attack scenario.
Daily operational logs revealed that the threat actor continued to manage the botnet using natural language prompts. These included requests to identify online machines, list files on specific computers, and generate malicious infection links. The entire botnet operation, including its components and instructions, was remarkably lightweight, contained within three plain-text files totaling approximately 5 KB.
Technically, the botnet employed an in-memory Python HTTP server and PowerShell agents that polled the C2 every five seconds. Persistence was achieved through scheduled tasks, WMI events, and registry modifications, depending on the privileges obtained. The malware itself was described as unsophisticated, lacking obfuscation or advanced evasion techniques, suggesting the AI's primary contribution was in operational efficiency and management rather than novel malware development.
Beyond botnet management, "bandcampro" reportedly used the AI for password guessing, generating plausible password variants for WordPress portals, and analyzing 1Password dumps to identify potential exploitation avenues. While one attempt to build a self-spreading "agent-bomb" was refused by Gemini, the actor simply shifted focus to other tasks, highlighting the adaptability of the attacker and the AI's utility across various malicious functions.
This incident underscores a growing concern within the cybersecurity community: the potential for powerful AI tools, especially open-source ones, to be repurposed by malicious actors. The ability of AI to rapidly generate code, manage complex infrastructure, and adapt to changing conditions presents a new frontier in cyber threats, demanding proactive defense strategies and a deeper understanding of AI's dual-use potential.