TuxBot v3: Inside an IoT Botnet Framework With LLM-Assisted Development Palo Alto Networks Unit 42 researchers identified a new IoT botnet framework named TuxBot v3 Evolution, whose developers used a large language model to assist in writing its code. The malware targets devices via Telnet brute-force and exploits for over 30 device families, communicating with a command-and-control server through encrypted channels and multiple fallback mechanisms. The framework includes a C-based bot agent, a Go-based C2 server, and automated build and test infrastructure, posing a significant threat despite some coding errors. Executive Summary We identified a previously undocumented modular internet-of-things IoT botnet framework named TuxBot v3 Evolution. The malware authors leveraged an LLM to assist in their code development, yielding mixed results. While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping. Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly. While a manual code review could have easily resolved these errors, the authors neglected this step. However, it is highly likely that corrected, more polished iterations exist, which significantly elevates the potential threat posed by this malware. We initially reported this information https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-05-28-TuxBot-v3-Evolution-Framework-Analysis.txt through our Timely Threat Intelligence program, and this article provides further in-depth analysis of the TuxBot v3 Evolution botnet. We recovered detailed information on the framework from internal telemetry. The data includes the full source code, compiled binaries for 17 architectures and automated distributed denial of service DDoS performance testing reports. The bot programs infected devices to display the console banner “Infected By Akiru.” The TuxBot v3 Evolution framework consists of: - A C-based bot agent that cross-compiles for architectures from ARM and MIPS to x86 64, PowerPC, RISC-V, etc. - A Go-based command-and-control C2 server with a DDoS-for-hire panel - A custom exploit virtual machine - Docker-based test infrastructure - An automated build system The bot agent brute-forces Telnet access on targeted devices with 1,496 credential pairs, contains exploit code targeting more than 30 IoT device families and communicates with a C2 server over an encrypted TCP channel. Fall-back C2 mechanisms include: - A SHA512 domain generation algorithm DGA - Peer-to-peer P2P gossip with Ed25519-signed commands - IRC - DNS TXT queries - HTTP polling Palo Alto Networks customers are better protected from the threats discussed above through the following products: If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team https://start.paloaltonetworks.com/contact-unit42.html . Related Unit 42 Topics | | TuxBot Framework Details TuxBot is a modular IoT botnet framework derived from various known IoT botnet codebases. Based on our analysis of the samples, TuxBot includes features borrowed from the known botnet AISURU https://www.cloudflare.com/learning/ddos/glossary/aisuru-kimwolf-botnet/ and the publicly unknown Wuhan botnet lineages. We infer the Wuhan botnet lineage based on references in the TuxBot samples. It is also partially ported from the open-source MHDDoS Python DDoS https://github.com/MatrixTM/MHDDoS toolkit. Figure 1 shows screenshots of the TuxBot v3 Evolution installer. According to the system configuration, the framework maintains dual versioning: 3.5.2 for the Installer version and 3.0.0-EVOLUTION-FINAL within the Docker configuration file. We discovered two important sources of TuxBot data from the wild. Our first discovery was an archive containing the complete source code of the framework. This archive consists of: - 61 C++ source files - 58 headers - Its own compiler and virtual machine - Docker Compose configurations for test environments - Quick Emulator QEMU setups for multi-architecture testing - 254 automated DDoS benchmark reports Our second discovery was a compiled bot binary https://www.virustotal.com/gui/file/71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d that was also bundled in the source tree under the QEMU test directory and hidden with a dot-prefix to the filename. This sample was submitted to VirusTotal on Jan. 20, 2026. Comparing this binary with the source code reveals that it is a development build. This binary was compiled with its C2 IP address set to the loopback IP address 127.0.0.1 and the bot protocol port set to 31337. Because this information can be modified during the botnet setup process, the operator could have production builds with a real C2 IP address and with the bugs we document here already fixed. The TuxBot framework we recovered and analyzed is approximately 70% functional. The core infection flow scanning, credential brute-forcing, persistence, primary C2 setup and DDoS execution works. The Telnet, SSH, HTTP and Android Debug Bridge ADB scanners all operate correctly. Furthermore, with its 1,496 credential pairs, the Telnet scanner remains a viable infection vector. Exploitation beyond brute-forcing is limited. All three exploit systems are non-functional for different reasons that we detail later in this analysis. An additional scanner fires, but its hard-coded dropper IP address is no longer active. Several other features are broken due to a handful of bugs, most of which trace back to large language model LLM -assisted development. The developer relied on an LLM to generate C modules, port exploits and write C2 server code. Raw chain-of-thought reasoning from the LLM was left verbatim in source files, and the LLM hallucinated cryptographic implementations that the developer shipped without verifying. During our analysis, we could fix several of these broken features with a few targeted prompts to an LLM. This means an adversary with access to the same source code could produce a more complete version with minimal effort. Development Timeline The archive containing the source code also contains a Git log. This Git log allowed us to build a timeline that shows the development progress of this botnet, noted in Table 1. Date | Event | Evidence | | Jan. 3, 2025 | Developer clones MHDDoS DDoS attack script from GitHub | Git log in the MHDDoS/ subdirectory leaks the workstation hostname newtuxdev.sevielw.digikalas . online | | Aug. 6, 2025 | Developer domain digikalas . online registered | Namecheap registration with Icelandic privacy protection | 71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d, x86 64 debug build with symbols Table 1. TuxBot Framework development timeline. The source code and publicly available data provide a rough development chronology. The developer's hostname, captured in the included Git log, indicates an Iranian-hosted workstation. The developer domain newtuxdev.sevielw.digikalas . online was no longer live, but the parent domain digikalas . online has remained active and resolved to an IP address on Iran's Arvan Cloud content delivery network CDN during our research. The 254 benchmark reports from the archive from January 2026 reveal: - Active testing of 12 attack methods across three Docker-based botnet hosts - Measuring packet rates, throughput and error rates This testing occurred just weeks before the first sample appeared on VirusTotal, consistent with a late-stage development push before deployment. The source code contains an IP address of 185.10.68 . 127, which we pivoted on to link TuxBot to Keksec/Kaitori a Tsunami/Mirai/Gafgyt variant ecosystems to a shared infrastructure. Framework Overview According to the framework’s description, the TuxBot developer built what they called a professional-grade C2 framework platform with a multi-user admin panel, automated deployment and modular attack capabilities. Figure 2 shows the botnet panel reference. The C2 server is written in Go and uses three listeners that use different TCP ports for incoming connections. The first listener serves the bot protocol on TCP port 1999 or 31337, depending on the build , handling encrypted command dispatch to connected bots. The same port is multiplexed with an admin binary protocol identified by a magic byte header. The second listener is an SSH server on TCP port 2222 that presents an interactive shell for operators. This is the DDoS-for-hire interface shown in Figure 3. Operators log in, see a count of connected bots and issue attack commands in the format method target duration. As Figure 4 shows, the C2 server enforces per-user quotas on concurrent attacks, maximum duration and bot allocation. This is all backed by a MariaDB database that stores user accounts, attack logs and permissions. The third listener is a machine API on TCP port 9999 that uses a JSON interface intended for programmatic access. The integrated build system automates the entire deployment: - Installing dependencies Go, MariaDB, cross-compilation toolchains - Initializing the database schema - Generating a configuration - Compiling the C2 - Cross-compiling the bot for 17 target architectures, as noted in Figure 5 These target architectures include: - x86 64 - ARM - ARM64 - MIPS - MIPSEL - MIPS64 - PowerPC The compiled binaries are placed in a directory served over HTTP, so exploited devices can download the appropriate binary for their architecture. The framework includes Docker Compose https://docs.docker.com/compose/gettingstarted/ configurations for several test scenarios. A “battle arena” configuration spins up a C2 server, five bot replicas and a target host running nginx and socat listeners on game server ports Minecraft, TeamSpeak, FiveM, Xbox Live . This allowed the developer to test DDoS methods against real protocol listeners in a controlled environment. Additional configurations test P2P gossip recovery, full integration with all scanners active and production-like deployments with stealth and persistence enabled. An interesting design note is that the source code configures the SSH banner as SSH-2.0-CNC, but the live C2 server on Xpanse at 209.182.237 . 133 presents the banner as SSH-2.0-CNC-Control-Server. This discrepancy suggests that the production deployment uses a modified version of the source code we discovered, providing further evidence that the operator has a separate, potentially more complete build. Bot Overview Analysis Details The bot is a C program that compiles into a single statically linked binary. It links against glibc https://tldp.org/LDP/lfs/5.0/html/appendixa/glibc.html and libsodium https://libsodium.gitbook.io/doc for X25519, ChaCha20, Poly1305, SHA512 and Ed25519 algorithms. The original binary submitted to VirusTotal https://www.virustotal.com/gui/file/71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d was an earlier debug build with symbols intact, compiled with GCC 11.4.0 instead of the production GCC 14.2.0. The bot programs infected devices to display the console banner Infected By Akiru, as shown in Figure 6. On execution, the bot follows a fixed initialization sequence. After seeding the pseudo-random number generator and initializing libsodium, it performs the following activities: - Loading the C2 address - Setting up anti-debugging protections - Hiding its process name - Installing persistence - Launching a cascade of subsystems consisting of: - The attack dispatcher - A competitor killer feature - An exploit VM - Self-replication servers - Multiple C2 channels IRC, HTTP, DNS, P2P - Scanners Telnet, SSH, HTTP, PHP-based application, ADB - A SOCKS5 proxy - The mining placeholder The main process then enters a loop that receives encrypted commands from the C2 server and dispatches attacks. String Table and the XOR Key Bug TuxBot stores sensitive strings C2 addresses, scanner calls, exploit payloads in an XOR-encrypted table that it decrypts at runtime. The table key is previously defined as 0xDEDEFB4F. The toggle obf function splits this 32-bit key into its four component bytes 0x4F, 0xFB, 0xDE, 0xDE and XORs each byte of each table entry with all four in sequence. Because XOR is associative, these four operations collapse into a single effective key. The two 0xDE bytes cancel each other out any byte XORed with itself yields zero , leaving 0x4F XOR 0xFB = 0xB4. The table contains 58 entries. Forty-nine of them decrypt correctly with key 0xB4 and include: - The C2 port 1999 - Scanner strings shell, enable, system - The Infected By Akiru post-infection console banner - Busybox probe strings - Various process names used for stealth Nine entries produce garbage when decrypted with 0xB4. These entries were encrypted using a separate offline tool, which uses a key of 0xDEDEFBAF, yielding an effective byte of 0x54. The developer introduced this bug by changing the least significant byte of the key in the table from 0xAF to 0x4F. The offline encryption tool was never updated to match, and the nine entries that had already been processed with the old key were never re-encrypted. As a result, these entries are encrypted in the binary with key 0x54, while the runtime applies key 0xB4, producing corrupted output. Decrypting them with the correct key 0x54 reveals the intended values shown in Table 2. Entry | Intended Value | | TABLE IRC SERVER | 127.0.0 . 1 | | TABLE IRC PORT | 6667 | | TABLE IRC CHANNEL | tuxbot | | TABLE IRC NICK PREFIX | tux | | TABLE HTTP C2 URL | hxxp : //127.0.0 . 1/cmd | | TABLE THINKPHP PAYLOAD | Full HTTP GET request 312 bytes targeting ThinkPHP invokefunction | | TABLE GPON PAYLOAD | Full HTTP POST request 316 bytes targeting GPON diag Form | | TABLE REALTEK PAYLOAD1 | Full SOAP request 988 bytes targeting Realtek UPnP /picdesc.xml | | TABLE REALTEK PAYLOAD2 | Full SOAP request 988 bytes targeting Realtek UPnP /wanipcn.xml | Table 2. String table decrypted values. All four exploit payloads hard code the dropper IP address 185.10.68 . 127 inside them, an IP address that is flagged as malicious on VirusTotal in early May 2026. The consequences of this bug are significant. The IRC C2 fall-back channel, the HTTP C2 polling channel and the four table-stored exploit payloads are all non-functional at runtime. The bot attempts to use them, but it silently fails due to the corrupted string values. For example, the IRC channel tries to inet addr on garbage bytes, gets INADDR NONE and retries the connection every 10 seconds. We were able to fix this to call the add entry plaintext function correctly, by taking the raw string and XORing it with the runtime key 0xB4 at initialization, guaranteeing the keys always match. With that fix applied, the IRC C2 channel connects, joins tuxbot and accepts attack commands as noted in Figure 7. Credential Table The bot ships with 1,496 username/password pairs for Telnet brute-forcing. The file header explicitly says // START IMPORTED FROM DDOS-ROOTSEC pass file. Each entry is XORed with key 0xB4 matching the runtime key, so these work correctly . The list of 1,495 login credentials includes standard and vendor-specific defaults. C2 Protocol TuxBot implements a layered C2 architecture with one primary channel and five fall-back mechanisms. Only the primary channel and three of the five fall-back mechanisms were functional in the version we analyzed. Figure 8 shows the diagram. Primary Channel: Encrypted TCP The bot connects to the C2 server on TCP port 1999 or 31337, depending on build configuration . The handshake begins with the bot sending 4 bytes: 0xDEADBE01. It then generates and sends its 32-byte public key. The C2 server responds with its own 32-byte public key. Each encrypted packet has the following format: - 4-byte magic 0xDEADBEEF - 12-byte nonce from /dev/urandom - Ciphertext - 16-byte Poly1305 tag Fall-Back Channels The framework defines five additional C2 channels, summarized in Table 3. Channel | Implementation | Status | | DNS TXT | Queries c2.tuxbot.local via 8.8.8 . 8 | Functional | | DGA | Seed format