216.73.216.86

Inside an IoT Botnet Framework With LLM-Assisted Development

· Published 15/07/2026 13:58

Export JSON

Essential information

Published
15/07/2026 13:58
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
aisuru ddos-for-hire gafgyt iot botnet kaitori keksec ecosystem llm-generated code mhddos telnet brute-force tsunami tuxbot v3
Related entities
25 vulnerabilities (cve), 30 indicators, 10 observables, 21 techniques (mitre), 7 malware

Description

A previously undocumented modular framework has been identified with code partially generated using large language models. The framework consists of C-based bot agents compiled for 17 architectures, a Go-based command-and-control server with panel, and custom exploit capabilities. Bot agents brute-force Telnet access using 1,496 credential pairs and target over 30 IoT device families. While core infection mechanisms function properly, several features are broken due to LLM-generated bugs that were shipped without manual review. The framework includes multiple fallback C2 mechanisms including domain generation algorithms, peer-to-peer gossip, IRC, and DNS TXT queries. Infrastructure analysis links this operation to the Keksec ecosystem through shared dropper servers. Development timeline spans from January 2025 to April 2026, with active C2 infrastructure observed since March 2026.

External references