Find notable cyber news and cases, enriched with sources, timelines, and signals.

TuxBot v3 Evolution IoT botnet framework with brute-force and exploit modules

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The newly disclosed TuxBot v3 Evolution IoT botnet framework expands attacker control with DDoS, proxy, and persistence capabilities, increasing the risk to compromised devices and downstream networks. The framework combines a C-based bot agent with a Go-based C2 server and multiple fallback channels, including encrypted TCP, DGA, P2P gossip, IRC, DNS TXT, and HTTP polling. It is designed to brute-force Telnet with 1,496 credential pairs and to use exploit code against more than 30 IoT device families. The toolset also adds scanning for Telnet, SSH, HTTP, and ADB, reinforcing its use as a broad compromise and abuse platform.

Related Happenings

Red Menshen telecom espionage campaign

Campaign
H score33 First: 26.03.2026 19:40 Last: 26.03.2026 19:40 Sources 1

About this happening: A China-nexus Red Menshen operation has sustained covert access in telecom networks across the Middle East and Asia, increasing the risk of government espion...

AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels

Technical Analysis
H score24 First: 17.02.2026 20:08 Last: 17.02.2026 20:08 Sources 1

About this happening: Researchers disclosed AI as a C2 proxy, a technique that can turn Microsoft Copilot and xAI Grok browsing features into stealthy command-and-control relays, increa...

Timeline

  1. 15.07.2026 21:43 2 articles · 13h ago

    Unit 42 discloses TuxBot v3 Evolution IoT botnet framework

    Initial Disclosure

    Palo Alto Networks Unit 42 disclosed TuxBot v3 Evolution, a previously unreported IoT botnet framework that appears to have been built with LLM assistance and contains a leaked safety disclaimer left in the code. The recovered framework includes a C-based bot agent, a Go-based command-and-control server, a custom exploit virtual machine, Docker-based test infrastructure, and an automated build system, while also using encrypted TCP control, a SHA512 DGA, P2P gossip with Ed25519-signed commands, IRC, DNS TXT queries, and HTTP polling fallback. The bot agent is designed to brute-force Telnet access with 1,496 credential pairs and to run exploit code against more than 30 IoT device families, and the analyzed samples also contained raw LLM chain-of-thought reasoning left in comments.

    Show sources