TuxBot v3 Evolution IoT botnet framework with brute-force and exploit modules
Malware Activity
Summary
Hide ▲
Show ▼
The newly disclosed TuxBot v3 Evolution IoT botnet framework expands attacker control with DDoS, proxy, and persistence capabilities, increasing the risk to compromised devices and downstream networks. The framework combines a C-based bot agent with a Go-based C2 server and multiple fallback channels, including encrypted TCP, DGA, P2P gossip, IRC, DNS TXT, and HTTP polling. It is designed to brute-force Telnet with 1,496 credential pairs and to use exploit code against more than 30 IoT device families. The toolset also adds scanning for Telnet, SSH, HTTP, and ADB, reinforcing its use as a broad compromise and abuse platform.
Related Happenings
Red Menshen telecom espionage campaign
Campaign
H score33
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A China-nexus Red Menshen operation has sustained covert access in telecom networks across the Middle East and Asia, increasing the risk of government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A China-nexus Red Menshen operation has sustained covert access in telecom networks across the Middle East and Asia, increasing the risk of government espion...
AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels
Technical Analysis
H score24
First: 17.02.2026 20:08
Last: 17.02.2026 20:08
Sources 1
About this happening:
Researchers disclosed AI as a C2 proxy, a technique that can turn Microsoft Copilot and xAI Grok browsing features into stealthy command-and-control relays, increa...
AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels
Technical AnalysisAbout this happening: Researchers disclosed AI as a C2 proxy, a technique that can turn Microsoft Copilot and xAI Grok browsing features into stealthy command-and-control relays, increa...
Timeline
-
15.07.2026 21:43 2 articles · 13h ago
Unit 42 discloses TuxBot v3 Evolution IoT botnet framework
Initial DisclosurePalo Alto Networks Unit 42 disclosed TuxBot v3 Evolution, a previously unreported IoT botnet framework that appears to have been built with LLM assistance and contains a leaked safety disclaimer left in the code. The recovered framework includes a C-based bot agent, a Go-based command-and-control server, a custom exploit virtual machine, Docker-based test infrastructure, and an automated build system, while also using encrypted TCP control, a SHA512 DGA, P2P gossip with Ed25519-signed commands, IRC, DNS TXT queries, and HTTP polling fallback. The bot agent is designed to brute-force Telnet access with 1,496 credential pairs and to run exploit code against more than 30 IoT device families, and the analyzed samples also contained raw LLM chain-of-thought reasoning left in comments.
Show sources
- TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development — thehackernews.com — 15.07.2026 21:43
- TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development — thehackernews.com — 15.07.2026 21:43