TuxBot v3 IoT Botnet Uses LLMs for Code Generation

TuxBot v3: New IoT Botnet Framework Developed with LLM Assistance

HIGH
July 15, 2026
23m read
MalwareThreat IntelligenceIoT Security

Related Entities

Threat Actors

Products & Tech

Other

TuxBot v3 EvolutionAISURU Wuhan botnetMHDDoSKaitori Mirai Gafgyt Arvan CloudChris NavarreteAsher DavilaDoel Santos

Full Report

Executive Summary

Security researchers have identified a new modular Internet of Things (IoT) botnet framework named TuxBot v3 Evolution. This malware is notable for its development process, which leveraged a large language model (LLM) to generate code. While this approach introduced several functional bugs that were not corrected by the developer, the core components of the botnet remain viable. Unit 42 analysis reveals that the framework is designed to compromise IoT devices through Telnet brute-force attacks and incorporate them into a network capable of launching Distributed Denial of Service (DDoS) attacks. The botnet's source code suggests origins with an Iranian developer and shows lineage from other known botnets like AISURU and the previously unknown Wuhan botnet. The potential for adversaries to easily fix the existing bugs and deploy a fully functional version makes TuxBot v3 a significant threat to insecure IoT devices globally.


Threat Overview

TuxBot v3 Evolution is a multi-component botnet framework designed to infect a wide range of IoT devices. Its primary objective is to build a network of compromised devices (a botnet) to perform DDoS attacks. The framework was discovered through internal telemetry which yielded its full source code, compiled binaries for 17 different architectures, and performance testing reports.

The malware's development is a key point of interest. The author utilized an LLM for code generation, which, while successful in creating the botnet's structure, also introduced significant flaws. The developer failed to remove an AI-generated safety disclaimer and shipped code with non-functional cryptographic implementations and broken exploit modules. This indicates a reliance on automated tooling without proper manual validation.

The primary infection vector is a Telnet scanner that brute-forces access using a list of 1,496 hard-coded credential pairs. While the framework includes exploit code for over 30 IoT device families, these modules were found to be non-functional in the analyzed version. The bot communicates with a Command and Control (C2) server over an encrypted TCP channel and includes fallback mechanisms such as a Domain Generation Algorithm (DGA), Pastebin, and Telegram.

Attribution evidence within the code, including a Git log, points to a developer using an Iranian-hosted workstation. A developer domain, newtuxdev.sevielw.digikalas[.]online, resolves to a parent domain hosted on Iran's Arvan Cloud CDN. Furthermore, a hard-coded IP address links the botnet's infrastructure to the Keksec/Kaitori malware ecosystem.


Technical Analysis

The TuxBot v3 Evolution framework is approximately 70% functional in its recovered state. The core infection and attack flow is operational, posing a tangible threat.

Components and Architecture

  • Bot Agent: A cross-compiled binary that infects target devices. It contains modules for scanning, brute-forcing (Telnet, SSH, HTTP, ADB), persistence, and C2 communication. Upon successful infection, it displays the console banner “Infected By Akiru.”
  • C2 Server: Written in the Go programming language, the C2 server uses multiple TCP listeners for bot communication (TCP/1999 or TCP/31337), an admin panel, and other services.
  • Development Environment: The source code includes a Docker configuration for automated deployment and a QEMU test directory, indicating a structured development process.

Infection and Propagation

The bot's primary propagation method relies on T1110.001 - Password Guessing against Telnet services on exposed IoT devices. The large list of 1,496 default and weak credential pairs makes this a potent threat against misconfigured devices. While the framework contains code for T1190 - Exploit Public-Facing Application, the exploit modules themselves are currently broken.

Command and Control (C2)

  • Primary C2: The bot communicates with its C2 server over an encrypted TCP channel, typically on port 1999.
  • Fallback Mechanisms: To ensure resilience, TuxBot v3 can use several fallback methods if the primary C2 is unavailable:
    1. T1568.002 - Dynamic Resolution: A Domain Generation Algorithm (DGA) to find new C2 servers.
    2. T1132.002 - Web Service: The bot can retrieve C2 information from public web services like Pastebin and Telegram.

Payload

The ultimate goal of the botnet is to launch T1498 - Network Denial of Service attacks. The framework is partially ported from the open-source MHDDoS Python DDoS toolkit, giving it a range of attack methods.

MITRE ATT&CK Mapping


Impact Assessment

Despite its developmental flaws, TuxBot v3 Evolution poses a high potential threat. The core functionality for infection via Telnet brute-force and conducting DDoS attacks is operational. Given that the full source code is available, it is highly probable that the developer or other threat actors could easily fix the bugs and create a more polished, fully functional version. The use of an LLM in its creation demonstrates a low barrier to entry for developing complex malware, a trend that will likely continue. Organizations deploying IoT devices are at risk, especially if they fail to change default credentials. A successful infection could lead to the devices being used in large-scale DDoS attacks, potentially causing service disruptions for targeted victims and consuming significant network bandwidth for the device owner.


IOCs — Directly from Articles

Type
IP Address
Value
185.10.68.127
Description
Shared infrastructure linked to Keksec/Kaitori ecosystems.
Type
Domain
Value
newtuxdev.sevielw.digikalas[.]online
Description
Developer domain found in source code (inactive).
Type
Domain
Value
digikalas[.]online
Description
Active parent domain resolving to Arvan Cloud CDN in Iran.
Type
String
Value
Infected By Akiru
Description
Console banner displayed on infected devices.
Type
Port
Value
31337
Description
C2 port used in the development build.
Type
Port
Value
1999
Description
Default bot protocol C2 port.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns, which could indicate related activity:

Type
Network Traffic
Value/Pattern
High-volume outbound connection attempts on TCP/23 (Telnet)
Context for Detection
Network flow data or firewall logs, indicating brute-force scanning.
Type
Network Traffic
Value/Pattern
Outbound connections to 185.10.68.127
Context for Detection
Firewall or proxy logs, indicating communication with known malicious infrastructure.
Type
DNS Queries
Value/Pattern
DNS lookups for digikalas.online or subdomains
Context for Detection
DNS logs, indicating potential C2 activity.
Type
Network Traffic
Value/Pattern
Outbound TCP connections on ports 1999 or 31337 from IoT devices
Context for Detection
Network traffic analysis, indicating primary C2 communication.
Type
API Calls
Value/Pattern
Connections from IoT devices to api.telegram.org or pastebin.com
Context for Detection
Egress traffic filtering logs, indicating C2 fallback activity.
Type
File System
Value/Pattern
Presence of new, unexpected executable files in /tmp on IoT devices
Context for Detection
File integrity monitoring or manual inspection on devices.

Detection & Response

Detecting TuxBot v3 requires monitoring network traffic and device behavior.

  1. Network Monitoring:

    • Implement rules to detect and alert on a high rate of failed or successful Telnet logins from a single source or to multiple devices on your network. This is a strong indicator of the initial brute-force scan.
    • Monitor egress traffic from IoT devices for connections to known malicious IPs like 185.10.68.127 or unusual destinations like Pastebin and Telegram.
    • Use Network Traffic Analysis to baseline normal traffic from IoT devices and alert on anomalies, such as connections on non-standard ports (1999, 31337) or sudden spikes in outbound bandwidth indicative of a DDoS attack.
  2. Endpoint/Device Level:

    • Where possible, enable logging on IoT devices and forward logs to a central SIEM for correlation. Look for unexpected processes or shell commands.
    • Use File Analysis on suspicious binaries found on devices. The VirusTotal submission of a development build shows that components may be identifiable through hash lookups.
  3. Incident Response:

    • If a device is suspected to be compromised, immediately isolate it from the network to prevent lateral movement and its participation in DDoS attacks.
    • Perform a forensic analysis to identify the infection vector and IOCs. Since the bot achieves persistence, a simple reboot may not be sufficient.
    • Re-flash the device with a factory firmware image to ensure complete removal of the malware.
    • Immediately change the default credentials and apply other mitigation steps before reconnecting the device to the network.

Mitigation

Preventing TuxBot v3 infection relies on fundamental security hygiene for IoT devices.

  1. Credential Hardening:

    • The most critical step is to change default usernames and passwords on all IoT devices. Implement a Strong Password Policy for all device accounts.
    • Disable or remove any unused default accounts.
  2. Network Controls:

    • Implement Network Isolation. Place IoT devices on a separate network segment that is isolated from critical corporate or personal networks.
    • Apply Outbound Traffic Filtering on the IoT network segment. Deny all outbound connections by default and only allow traffic necessary for the device's function. This can block C2 communication.
    • Disable Telnet (TCP/23) completely. If remote management is required, use SSH (TCP/22) with key-based authentication instead of passwords.
  3. Device Hardening:

    • Regularly check for and apply firmware updates (Software Update). While the analyzed TuxBot exploits were broken, future versions will likely have functional exploits.
    • Disable any unnecessary services on the device to reduce the attack surface. This includes ADB, SSH, and web interfaces if they are not needed.

Timeline of Events

1
January 1, 2026
Developer conducts 254 benchmark tests, indicating a late-stage development push.
2
January 20, 2026
A compiled development build of the TuxBot bot binary is submitted to VirusTotal.
3
July 14, 2026
Unit 42 publishes its in-depth analysis of the TuxBot v3 Evolution framework.
4
July 15, 2026
This article was published

MITRE ATT&CK Mitigations

Counteracts the Telnet brute-force vector by replacing default or weak credentials with strong, unique passwords.

Mapped D3FEND Techniques:

Isolates IoT devices onto their own network segment to prevent compromised devices from accessing critical systems and to simplify traffic monitoring.

Mapped D3FEND Techniques:

Apply strict egress filtering rules to the IoT network segment to block outbound connections to C2 servers, Pastebin, and Telegram.

Mapped D3FEND Techniques:

Disable the Telnet service on all IoT devices to completely remove the primary attack vector used by TuxBot.

Mapped D3FEND Techniques:

Regularly patch device firmware to mitigate vulnerabilities that could be targeted by future, more functional versions of TuxBot.

Mapped D3FEND Techniques:

Timeline of Events

1
January 1, 2026

Developer conducts 254 benchmark tests, indicating a late-stage development push.

2
January 20, 2026

A compiled development build of the TuxBot bot binary is submitted to VirusTotal.

3
July 14, 2026

Unit 42 publishes its in-depth analysis of the TuxBot v3 Evolution framework.

Sources & References

TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development
Unit 42 (unit42.paloaltonetworks.com) July 14, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

IoTBotnetDDoSLLMMalware AnalysisTelnetBrute ForceC2

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.