Inside an IoT Botnet Framework With LLM-Assisted Development
Essential information
- Published
- 15/07/2026 13:58
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- aisuru ddos-for-hire gafgyt iot botnet kaitori keksec ecosystem llm-generated code mhddos telnet brute-force tsunami tuxbot v3
- Related entities
- 25 vulnerabilities (cve), 30 indicators, 10 observables, 21 techniques (mitre), 7 malware
Description
A previously undocumented modular IoT botnet framework has been identified with code partially generated using large language models. The framework consists of C-based bot agents compiled for 17 architectures, a Go-based command-and-control server with DDoS-for-hire panel, and custom exploit capabilities. Bot agents brute-force Telnet access using 1,496 credential pairs and target over 30 IoT device families. While core infection mechanisms function properly, several features are broken due to LLM-generated bugs that were shipped without manual review. The framework includes multiple fallback C2 mechanisms including domain generation algorithms, peer-to-peer gossip, IRC, and DNS TXT queries. Infrastructure analysis links this operation to the Keksec ecosystem through shared dropper servers. Development timeline spans from January 2025 to April 2026, with active C2 infrastructure observed since March 2026.