Ethical Hacking News
TuxBot v3 is an AI-built IoT botnet with numerous critical security flaws, including a failure to import password hashing algorithms correctly and bugs caused by its large language model (LLM) code generator. The botnet was designed to exploit vulnerabilities in IoT devices, but it has 70% functionality, making it a potential threat to device owners.
TuxBot v3 is a functional AI-built IoT botnet with numerous critical security flaws. The botnet was built using a large language model (LLM) and has 70% functionality. The framework uses a Go-based command-and-control server, DDoS-for-hire panel, and custom exploit virtual machine. Security flaws include bugs in LLM code, such as incorrect password hashing algorithms and XOR key mismatches. The developer spent over a year building the framework, involving several malicious actors.
TuxBot v3 is an AI-built Internet of Things (IoT) botnet designed to exploit a wide range of vulnerabilities in IoT devices. The botnet was built using a large language model (LLM), which was also used to generate significant portions of the code for TuxBot v3 Evolution, a modular framework for building botnets.
A recent report from Unit 42, a cybersecurity firm affiliated with Palo Alto Networks, revealed that TuxBot v3 is not only functional but has numerous critical security flaws. The botnet uses a Go-based command-and-control server with a DDoS-for-hire panel and includes a custom exploit virtual machine, Docker-based test infrastructure, and an automated build system.
According to the report, the developer of TuxBot v3 used LLM to write most of the code, but failed to remove safety disclaimers in every compiled binary. The LLM was also used to generate botnet code that included a safety disclaimer that the developer never removed before shipping. The framework has 70% functionality and works for Telnet access with 1,496 credential pairs.
However, TuxBot v3 has numerous critical security flaws. The core infection flow works, but the parts that don't work are mostly due to bugs introduced by LLM. For example, the C2 authentication module fails because it uses a password hashing algorithm called Argon2id, which was not imported correctly. Furthermore, an XOR key mismatch breaks the IRC fallback channel.
In addition, 16 exploit functions were compiled as dead code that never get called. Seventy-eight attack vectors mapped to six handlers all HTTP application-layer methods silently redirected to TCP SYN floods.
The developer of TuxBot v3 started building this framework in January 2025 and spent a year on it. The development timeline reveals the involvement of several malicious actors, including Iran's Keksec ecosystem, AISURU tooling, and Kaitori v3.9.
In conclusion, TuxBot v3 is an AI-built IoT botnet that has numerous critical security flaws. It was built using LLM to generate significant portions of its code, but failed to remove safety disclaimers in every compiled binary. Despite these flaws, the framework remains functional and has potential for malicious use.
Related Information:
https://www.ethicalhackingnews.com/articles/TuxBot-v3-A-Lethal-IoT-Botnet-Built-With-AI-Exposing-Critical-Security-Flaws-ehn.shtml
https://securityaffairs.com/195486/ai/tuxbot-v3-the-iot-botnet-built-with-ai-bugs-disclaimers-and-all.html
Published: Thu Jul 16 08:19:45 2026 by llama3.2 3B Q4_K_M