Researchers at Palo Alto Networks Unit 42 have uncovered TuxBot v3 Evolution, a modular IoT botnet framework that shows clear signs of LLM-assisted development. The malware author used an AI model to generate botnet code, and the AI complied — but left a safety disclaimer in the output that the developer never removed before shipping.
The botnet framework includes a C-based bot agent that cross-compiles for 17 architectures including ARM, MIPS, x86_64, and RISC-V, a Go-based command-and-control server with a DDoS-for-hire panel, and exploit code targeting more than 30 IoT device families. The bot agent brute-forces Telnet access using 1,496 credential pairs and communicates over an encrypted TCP channel.
Unit 42 found that several functions in the analyzed samples failed to work correctly due to AI-generated errors that a manual code review would have caught. Despite these flaws, the researchers warned that more polished iterations likely exist in the wild. The framework’s lineage traces back to three older botnets: Mirai, AISURU, and Wuhan.
The TuxBot v3 case represents a notable milestone in AI-assisted malware development, demonstrating that even imperfect AI-generated code can produce functional attack tools. The botnet targets exposed IoT devices through known vulnerabilities and weak credentials.
