TuxBot Botnet Tied to Keksec; LLM Reasoning Left in Code

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Unit 42 disclosed TuxBot v3 Evolution, an unreported IoT botnet framework showing hallmarks of LLM-assisted development; the AI complied with the developer's botnet request but shipped a safety disclaimer the author failed to remove, and several analyzed functions failed to work correctly.
- TuxBot comprises a C-based bot agent cross-compiling for ARM, MIPS, MIPSEL, MIPS64, x86_64, PowerPC, and RISC-V, plus a Go-based C2 server with DDoS-for-hire panel, a custom exploit virtual machine, Docker-based test infrastructure, and an automated build system.
- The bot agent uses 1,496 credential pairs to brute-force Telnet and exploit code targeting more than 30 IoT device families, communicating with C2 over encrypted TCP with five fallbacks: a SHA512 DGA, P2P gossip with Ed25519-signed commands, IRC, DNS TXT queries, and HTTP polling.
- Multiple files contain raw LLM chain-of-thought reasoning left verbatim in comments, including the AI's self-interruptions, decisions, and references to "the user" — the leftover reasoning trail from the model porting code on behalf of the developer.
- Unit 42 traced the framework's lineage to Mirai, AISURU, and Wuhan botnets, with partial ports from the open-source MHDDoS Python DDoS toolkit, and placed the operator inside the Keksec ecosystem via shared infrastructure with Kaitori v3.9 and AISURU tooling.
- A sample was uploaded to VirusTotal on January 20, 2026, and evidence suggests work on the botnet began roughly a year earlier when the author cloned the MHDDoS repository from GitHub.
Why it matters: A single developer used an LLM to assemble a multi-architecture IoT botnet with 1,496 Telnet credentials, 30+ device exploits, and five fallback C2 channels in roughly a year. Even with broken functions, the workflow lowers the barrier for novice threat actors, and the Keksec link places this inside a known parallel botnet portfolio defenders already monitor.




