New TuxBot v3 IoT Botnet Uses LLM-Generated Code to Hijack Devices and Launch DDoS Attacks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly identified IoT botnet framework, TuxBot v3 Evolution, is targeting internet-connected devices and turning compromised systems into tools for distributed denial-of-service attacks.

The malware can run across a wide range of device architectures, creating a broad risk for routers, cameras, and other exposed Linux-based equipment.

TuxBot uses several paths to gain access, including Telnet password guessing, SSH scanning, HTTP-based probing, Android Debug Bridge scanning, and attempts to exploit vulnerable devices.

Its Telnet module alone carries 1,496 username and password combinations, many of them default or vendor-specific credentials that remain common on poorly secured devices.

Analysts at Unit 42 said in a report shared with Cyber Security News (CSN) that they identified the malware as a previously undocumented, modular botnet framework with an encrypted command channel, a custom exploit system, and infrastructure intended to support DDoS-for-hire operations.

The discovery is notable because the developers appear to have used a large language model to build substantial parts of the framework.

The recovered source code includes unremoved AI safety comments and internal-style reasoning, showing that generated code was incorporated with limited manual review.

New TuxBot v3 IoT Botnet Uses LLM-Generated Code

The framework combines a C-based bot client with a Go-based command-and-control server that can build payloads for at least 17 processor architectures.

This allows operators to prepare malware for devices running ARM, MIPS, PowerPC, RISC-V, x86-64, and other platforms from a single development environment.

Once installed, the bot attempts to remain on a device through a disguised system service, cron jobs, shell-profile changes, hidden backup copies, watchdog activity, and repeated relocation of its binary.

It can also disguise its process name and search for rival malware, removing competing botnet infections from the same device.

The authors borrowed code and design elements from several known botnet families and the open-source MHDDoS toolkit.

That reuse follows a familiar pattern in the IoT threat landscape, where Mirai-derived DDoS botnets continue to give attackers a quick foundation for building new attack tools.

Researchers found an encryption-key mismatch that broke multiple functions, a custom exploit virtual machine that could not load its own packages, and an authentication component labelled as Argon2id that did not actually implement Argon2id password hashing.

TuxBot interactive setup wizard screens (Source – Unit42)

These defects do not remove the danger. TuxBot’s core functions, including credential attacks, encrypted primary communications, persistence, scanning, and UDP, TCP, and DNS flooding, were operational in the analyzed samples.

Researchers also warned that the operator could correct the defects quickly because the complete source code is already available to them.

DDoS Infrastructure and Defense

TuxBot connects to its main server using encrypted TCP communications and can fall back on domain-generation and peer-to-peer mechanisms if the primary server becomes unavailable.

The operator’s server included an SSH-accessible panel where users could view connected bots and issue attack commands, pointing to a service designed for managed DDoS activity.

TuxBot C2 botmaster panel command reference (Source – Unit42)

The malware’s developers tested attack performance through a Docker-based environment and generated 254 automated benchmark reports before samples began appearing publicly.

While the framework advertises dozens of attack options, many web-focused methods in the analyzed build were incorrectly routed to simpler TCP SYN floods, leaving some advertised capabilities inactive.

Still, defenders should treat the active features as a practical threat. Organizations should remove default passwords, restrict Telnet and remote administration access, apply firmware updates, and segment IoT devices from critical systems.

Monitoring repeated authentication attempts and unusual outbound traffic can also expose devices being recruited into a botnet, as seen in other IoT botnet attacks.

C2 protocols and the client – server relationships (Source – Unit42)

The researchers linked TuxBot infrastructure to broader Keksec, Kaitori, and AISURU-related activity through shared hosting and certificate artifacts. The connection does not mean the tool is identical to those families, but it shows how operators can reuse infrastructure while maintaining separate malware codebases and campaigns.

TuxBot also illustrates a wider shift in criminal development practices. AI assistance can speed up code writing and porting across platforms, even when the output is unreliable, echoing concerns raised by earlier reporting on LLM-enabled malware.

Indicators of Compromise (IoCs):-

Type Indicator Description
IPv4 address 209.182.237.133 TuxBot command-and-control server
IPv4 address 185.10.68.127 TuxBot payload dropper
IPv4 address 154.6.197.43 Scan-server address in bot source code
IPv4 address 45.145.185.229 Keksec dropper, not directly attributed to TuxBot
IPv4 address 107.174.133.119 Keksec dropper, Huawei exploit payload
IPv4 address 194.46.59.169 AISURU-related infrastructure
IPv4 address 188.166.2.226 Tsunami dropper in inactive RCE code
IPv4 address 37.32.24.195 IP address resolving for digikalas.online
Domain binsbot.arch TuxBot payload hosting domain/path
Domain c2.tuxbot.local Hard-coded DNS fallback C2 domain
Domain digikalas.online Developer-associated domain
Domain newtuxdev.sevielw.digikalas.online Developer hostname leaked in Git data
Domain jetross.com TLS certificate artifact linking C2 and dropper
Domain cfcybernews.eu Test domain leaked by CF bypass module
Domain captcha.kanfetka.site Test domain leaked by CAPTCHA bypass module
Domain vrunabo.su Historical domain associated with dropper infrastructure
Domain rezy1337.ted.ge Historical domain associated with dropper infrastructure
Domain high.cpu.co.ua Historical domain associated with dropper infrastructure
Filename tuxbot.alpha TuxBot compiled binary for Alpha architecture
Filename tuxbot.arm TuxBot compiled binary for ARM
Filename tuxbot.arm64 TuxBot compiled binary for ARM64
Filename tuxbot.arm7 TuxBot compiled binary for ARM7
Filename tuxbot.hppa TuxBot compiled binary for PA-RISC
Filename tuxbot.m68k TuxBot compiled binary for Motorola m68k
Filename tuxbot.mips TuxBot compiled binary for MIPS
Filename tuxbot.mips64 TuxBot compiled binary for MIPS64
Filename tuxbot.mips64el TuxBot compiled binary for MIPS64 little-endian
Filename tuxbot.mipsel TuxBot compiled binary for MIPS little-endian
Filename tuxbot.ppc TuxBot compiled binary for PowerPC
Filename tuxbot.ppc64le TuxBot compiled binary for PowerPC 64 little-endian
Filename tuxbot.riscv64 TuxBot compiled binary for RISC-V
Filename tuxbot.s390x TuxBot compiled binary for IBM S390x
Filename tuxbot.sh4 TuxBot compiled binary for Renesas SH
Filename tuxbot.sparc64 TuxBot compiled binary for SPARC64
Filename tuxbot.x8664 TuxBot compiled binary for x86-64
Filename .botx8664 Debug TuxBot x86-64 build
SHA-256 6b7a8e0c96c2318e747f074f9a99d26738700769ac01bba692d19fc884847737 tuxbot.alpha
SHA-256 146f6010f6ee082aab13e0148d39baefa77eaba4ff65817b511b08c2092bdfd2 tuxbot.arm
SHA-256 bd6431fb06e4689142ef597cf00382e38ae20a5393a4d9277e45a3f5b3cbcff9 tuxbot.arm64
SHA-256 a03b0d41f5ef03328150331ffa0ed970998883f7e0343d79b2d3b95330d8e7c1 tuxbot.arm7
SHA-256 eb2fa179fde2f097c18d5d700ad87d660fc238ee14cbe5477032e60856859621 tuxbot.hppa
SHA-256 a8d70d16509e227d8306be361bc37a3dc9fe34bf476f51e361e55e6d293c2b3f tuxbot.m68k
SHA-256 0f8bcca3ed65e980da2a1f90a767b7d543be32eeea3e9338d09d4d635a497988 tuxbot.mips
SHA-256 96b1f96efca3b9df2dea85678d60da27e3265b4a00e39e20e64b27bb985e1561 tuxbot.mips64
SHA-256 c7a36d6b8128c41f93a32413675401a10a2b5769b221bbaa8c5c309585b73ceb tuxbot.mips64el
SHA-256 246c97957651de568e61eba1abe572f0b0f960456209995d43d53a0d7cc494a1 tuxbot.mipsel
SHA-256 3ec016d637e4c9cd331edd2580a229621ad638e924a4aa29ac0342e9144ace19 tuxbot.ppc
SHA-256 2f2c3551762c03da126e45dca6fc2f997c63f0f1bfc21fd0ceed680ac6f083ce tuxbot.ppc64le
SHA-256 9cd5e7e3c8bad321ef6c3d47fe25b3b56e9487f703a7eeee52db4067e6bafe61 tuxbot.riscv64
SHA-256 e3a5296e762e9ee16010399666441d663beeea956382e97cca032a6a5ad06811 tuxbot.s390x
SHA-256 f1efb78887bb8783d7781c07cd13b53c9c79ebe5baa81f335838d0a6e73dec7e tuxbot.sh4
SHA-256 f324a45fcd2a9db4e542c09486c21b08bc42d6bf76fbd5f17871090361b10815 tuxbot.sparc64
SHA-256 15c17dce89deccd5172285b2650de957918aa1157cde8e4633ae15dfe31f2711 tuxbot.x8664
SHA-256 71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d .botx8664 debug build
SHA-256 511d3ffb4091cbcc94571d9fb3102e8cb424c6e187d01d53ff12078d54929bda Confirmed external TuxBot sample
SHA-256 6aa4034dc7a2858094ff4dc59af07d6fe31119591e41599bcc0f3d0b516ee734 Confirmed internal TuxBot sample
Host artifact Infected By Akiru Console output after successful execution
Host artifact sd-pam.service Disguised systemd persistence service
Host artifact tmp.08x.lock Lock-file format for single-instance control
User-Agent TuxBot HTTP requests generated by bot
User-Agent r00ts3c-owned-you Inactive RCE payload inherited from MHDDoS
SSH banner SSH-2.0-CNC-Control-Server C2 SSH service fingerprint
Network port 209.182.237.133:1999 Encrypted bot protocol
Network port 209.182.237.133:31337 Alternate encrypted bot protocol
Network port 209.182.237.133:2222 C2 SSH administration panel
Network port 209.182.237.133:9999 JSON machine API

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.