VYPR
researchPublished Jul 15, 2026· 1 source

TuxBot v3 IoT Botnet Leverages LLM for Development, Exposing Flaws

A new iteration of the TuxBot IoT botnet framework, dubbed TuxBot v3 Evolution, has been discovered incorporating Large Language Model (LLM) assistance in its development, leading to both enhanced capabilities and notable bugs.

Security researchers at Unit 42 have detailed the emergence of TuxBot v3 Evolution, a modular internet-of-things (IoT) botnet framework that showcases the growing influence of AI in malware development. The analysis reveals that the malware authors utilized an LLM to aid in generating code, a process that, while accelerating development, resulted in the inclusion of an unremoved AI safety disclaimer and several functional errors within the compiled samples.

The TuxBot framework itself is a composite, drawing features from known botnets like AISURU and the Wuhan lineage, alongside elements ported from the open-source MHDDoS Python DDoS toolkit. The recovered source code, compiled binaries for 17 different architectures, and extensive DDoS performance testing reports paint a picture of a sophisticated and adaptable threat. The bot agent is written in C and is designed to cross-compile for a wide array of architectures, including ARM, MIPS, x86_64, and RISC-V, enabling broad device compatibility.

Infection vectors for TuxBot v3 Evolution primarily rely on brute-forcing Telnet access using a substantial list of 1,496 credential pairs. Beyond brute-force methods, the framework also includes exploit code targeting over 30 different IoT device families. Once compromised, infected devices display the console banner "Infected By Akiru." Communication with the command-and-control (C2) server is secured via an encrypted TCP channel, but the botnet employs multiple fallback mechanisms to maintain connectivity, including a SHA512 domain generation algorithm (DGA), peer-to-peer (P2P) gossip with Ed25519-signed commands, IRC, DNS TXT queries, and HTTP polling.

The C2 infrastructure is built using Go and features a DDoS-for-hire panel, a custom exploit virtual machine, and a Docker-based test environment. This modular design allows for flexibility and scalability in its operations. The framework's automated build system further streamlines the deployment and management of botnet components.

Despite the advancements, the LLM-assisted development has introduced significant flaws. Approximately 70% of the framework's analyzed components are functional, with core infection and DDoS execution working as intended. However, exploit systems and other features are broken due to bugs that can be traced back to the AI-generated code. The LLM's raw reasoning logs were found verbatim in source files, and the developer failed to properly vet cryptographic implementations generated by the AI. These issues suggest that while the current iteration has limitations, more polished and dangerous versions are likely to emerge.

The development timeline, pieced together from Git logs within the source code archive, indicates a development period starting as early as January 2025, with significant activity in August 2025 and January 2026. This timeline suggests a sustained effort to build and refine the botnet, with the LLM integration appearing to be a more recent addition to the development process.

The implications of LLM-assisted malware development are significant. While it can lower the barrier to entry and accelerate the creation of complex tools, it also introduces new avenues for error and potential discovery. The fact that Unit 42 researchers could fix some of the broken features with simple LLM prompts highlights the double-edged sword of AI in cybersecurity. Adversaries can leverage these tools for rapid development, while defenders must contend with the evolving capabilities and potential vulnerabilities introduced by AI-generated code.

Palo Alto Networks customers are protected by products such as Advanced WildFire, Advanced URL Filtering, Advanced DNS Security, and Advanced Threat Prevention. The discovery of TuxBot v3 Evolution underscores the dynamic nature of IoT threats and the increasing sophistication of malware development, driven in part by the accessibility of advanced AI tools.

Synthesized by Vypr AI