Security researchers have identified a new modular Internet of Things (IoT) botnet framework named TuxBot v3 Evolution. This malware is notable for its development process, which leveraged a large language model (LLM) to generate code. While this approach introduced several functional bugs that were not corrected by the developer, the core components of the botnet remain viable. Unit 42 analysis reveals that the framework is designed to compromise IoT devices through Telnet brute-force attacks and incorporate them into a network capable of launching Distributed Denial of Service (DDoS) attacks. The botnet's source code suggests origins with an Iranian developer and shows lineage from other known botnets like AISURU and the previously unknown Wuhan botnet. The potential for adversaries to easily fix the existing bugs and deploy a fully functional version makes TuxBot v3 a significant threat to insecure IoT devices globally.
TuxBot v3 Evolution is a multi-component botnet framework designed to infect a wide range of IoT devices. Its primary objective is to build a network of compromised devices (a botnet) to perform DDoS attacks. The framework was discovered through internal telemetry which yielded its full source code, compiled binaries for 17 different architectures, and performance testing reports.
The malware's development is a key point of interest. The author utilized an LLM for code generation, which, while successful in creating the botnet's structure, also introduced significant flaws. The developer failed to remove an AI-generated safety disclaimer and shipped code with non-functional cryptographic implementations and broken exploit modules. This indicates a reliance on automated tooling without proper manual validation.
The primary infection vector is a Telnet scanner that brute-forces access using a list of 1,496 hard-coded credential pairs. While the framework includes exploit code for over 30 IoT device families, these modules were found to be non-functional in the analyzed version. The bot communicates with a Command and Control (C2) server over an encrypted TCP channel and includes fallback mechanisms such as a Domain Generation Algorithm (DGA), Pastebin, and Telegram.
Attribution evidence within the code, including a Git log, points to a developer using an Iranian-hosted workstation. A developer domain, newtuxdev.sevielw.digikalas[.]online, resolves to a parent domain hosted on Iran's Arvan Cloud CDN. Furthermore, a hard-coded IP address links the botnet's infrastructure to the Keksec/Kaitori malware ecosystem.
The TuxBot v3 Evolution framework is approximately 70% functional in its recovered state. The core infection and attack flow is operational, posing a tangible threat.
TCP/1999 or TCP/31337), an admin panel, and other services.The bot's primary propagation method relies on T1110.001 - Password Guessing against Telnet services on exposed IoT devices. The large list of 1,496 default and weak credential pairs makes this a potent threat against misconfigured devices. While the framework contains code for T1190 - Exploit Public-Facing Application, the exploit modules themselves are currently broken.
1999.T1568.002 - Dynamic Resolution: A Domain Generation Algorithm (DGA) to find new C2 servers.T1132.002 - Web Service: The bot can retrieve C2 information from public web services like Pastebin and Telegram.The ultimate goal of the botnet is to launch T1498 - Network Denial of Service attacks. The framework is partially ported from the open-source MHDDoS Python DDoS toolkit, giving it a range of attack methods.
Despite its developmental flaws, TuxBot v3 Evolution poses a high potential threat. The core functionality for infection via Telnet brute-force and conducting DDoS attacks is operational. Given that the full source code is available, it is highly probable that the developer or other threat actors could easily fix the bugs and create a more polished, fully functional version. The use of an LLM in its creation demonstrates a low barrier to entry for developing complex malware, a trend that will likely continue. Organizations deploying IoT devices are at risk, especially if they fail to change default credentials. A successful infection could lead to the devices being used in large-scale DDoS attacks, potentially causing service disruptions for targeted victims and consuming significant network bandwidth for the device owner.
185.10.68.127newtuxdev.sevielw.digikalas[.]onlinedigikalas[.]onlineInfected By Akiru313371999Security teams may want to hunt for the following patterns, which could indicate related activity:
TCP/23 (Telnet)185.10.68.127digikalas.online or subdomains1999 or 31337 from IoT devicesapi.telegram.org or pastebin.com/tmp on IoT devicesDetecting TuxBot v3 requires monitoring network traffic and device behavior.
Network Monitoring:
185.10.68.127 or unusual destinations like Pastebin and Telegram.1999, 31337) or sudden spikes in outbound bandwidth indicative of a DDoS attack.Endpoint/Device Level:
Incident Response:
Preventing TuxBot v3 infection relies on fundamental security hygiene for IoT devices.
Credential Hardening:
Network Controls:
TCP/23) completely. If remote management is required, use SSH (TCP/22) with key-based authentication instead of passwords.Device Hardening:
Counteracts the Telnet brute-force vector by replacing default or weak credentials with strong, unique passwords.
Isolates IoT devices onto their own network segment to prevent compromised devices from accessing critical systems and to simplify traffic monitoring.
Apply strict egress filtering rules to the IoT network segment to block outbound connections to C2 servers, Pastebin, and Telegram.
Mapped D3FEND Techniques:
Disable the Telnet service on all IoT devices to completely remove the primary attack vector used by TuxBot.
Regularly patch device firmware to mitigate vulnerabilities that could be targeted by future, more functional versions of TuxBot.
Mapped D3FEND Techniques:
Developer conducts 254 benchmark tests, indicating a late-stage development push.
A compiled development build of the TuxBot bot binary is submitted to VirusTotal.
Unit 42 publishes its in-depth analysis of the TuxBot v3 Evolution framework.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.