A new IoT botnet framework called TuxBot v3 Evolution has been discovered by Palo Alto Networks Unit 42, and it shows clear signs of being developed with the help of a large language model (LLM). However, the LLM-generated code contains a safety disclaimer that the developer forgot to remove, and several functions in the analyzed samples do not work correctly. Unit 42 researchers noted that a manual code review would have caught these errors, suggesting that more polished versions may already exist.
Botnet Architecture and Capabilities
The TuxBot v3 framework is a multi-component system that includes a C-based bot agent cross-compiling for architectures like ARM, MIPS, x86_64, and RISC-V, a Go-based command-and-control (C2) server with a DDoS-for-hire panel, a custom exploit virtual machine, Docker-based test infrastructure, and an automated build system. The bot agent brute-forces Telnet access using 1,496 credential pairs and exploits over 30 IoT device families via known vulnerabilities. It communicates with the C2 server over an encrypted TCP channel, with fallback mechanisms including a SHA512 domain generation algorithm (DGA), a peer-to-peer gossip protocol with Ed25519-signed commands, Internet Relay Chat (IRC), DNS TXT queries, and HTTP polling.
The C2 server uses three TCP ports: port 1999 (or 31337) for encrypted command dispatch, port 2222 for an interactive SSH shell for operators, and port 9999 for a JSON-based programmatic interface. Once deployed, the botnet initializes by loading the C2 address from a multi-tiered architecture, setting up anti-debugging and anti-VM protections, hiding its process name, installing persistence via systemd service, cron entries, and a watchdog keepalive process, then launching sub-modules for DDoS attacks, terminating competing processes, establishing C2 channels, running scanners for Telnet, SSH, HTTP, and Android Debug Bridge (ADB), spawning a SOCKS5 proxy, and executing a cryptocurrency mining placeholder. The HTTP scanner can manage up to 128 concurrent connections to find vulnerable web interfaces.
LLM Traces and Ecosystem
Multiple files in the TuxBot v3 sample contain raw LLM chain-of-thought reasoning left verbatim in comments, showing self-interruptions and references to "the user." The malware's lineage traces back to three botnets—Mirai, AISURU, and Wuhan—and partially ports functions from the open-source MHDDoS Python DDoS toolkit. The earliest sample was uploaded to VirusTotal on January 20, 2026, and evidence suggests development started a year earlier when the author cloned the MHDDoS repository from GitHub. Unit 42 links the TuxBot operator to the Keksec ecosystem, which runs multiple IoT botnet variants, including Kaitori v3.9 and AISURU tooling. TuxBot v3 Evolution aims to go beyond typical Mirai forks with encrypted C2, DGA, and a modular exploit system, though the recovered version's exploit system does not yet work.
The disclosure follows the emergence of two other IoT botnets—RustDuck and AryStinger—that target routers, IP cameras, Android boxes, and poorly secured servers to build networks for DDoS attacks and reconnaissance.