Six Minutes to Compromise: How 'Patriot Bait' Actor Used AI to Build and Deploy a C&C Botnet
Essential information
- Published
- 15/07/2026 09:23
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- ai-assisted hacking botnet operations cryptocurrency fraud google gemini cli patriot bait wordpress compromise
- Related entities
- 2 indicators, 2 observables, 1 intrusion sets (apt), 20 techniques (mitre)
Description
A Russian-speaking threat actor known as 'bandcampro' leveraged Google Gemini CLI to migrate and operate a command-and-control botnet in six minutes, with the AI handling 89% of all work including architecture, coding, deployment, and debugging. Analysis of 200 Gemini CLI session logs from March-April 2026 revealed the actor controlled eight computers in a dental clinic, accessing OpenDental databases. The actor communicated intentions in plain Russian while AI executed technical operations. The entire C&C infrastructure fits in three plain-text files totaling 5KB, making it highly portable and disposable. Beyond botnet operations, the actor used AI for password cracking, WordPress compromise, and planning cryptocurrency fraud targeting elderly victims in the US and Canada. The AI proactively suggested improvements 59 times unprompted, demonstrating how AI lowers barriers for threat actors by replacing technical skill requirements with simple natural-language instructions.