New IoT Botnet Reveals How LLMs Are Changing Malware Development

FastNetMon

July 16, 2026

Hero banner for TUXBOT V3 Evolution showing a dual-panel CNC installer UI with setup steps on the left and configuration text on the right, plus a blue FASTNETMON corner.
Home FastNetMon Blog New IoT Botnet Reveals How LLMs Are Changing Malware Development

Remember Script Kiddies? Well, it seems like we need to start talking about "Prompt Kiddies." Evidence that large language models are making their way into malware development has emerged from the analysis of TuxBot v3 Evolution, a newly discovered IoT botnet investigated by Palo Alto Networks Unit 42.

According to the researchers, the botnet's developers appear to have relied on an LLM to build substantial parts of the framework. The recovered source code still contained AI safety comments and internal reasoning traces that had never been removed, providing a rare glimpse into how AI-generated code is finding its way into real-world malware.

The discovery is noteworthy not only because AI appears to have accelerated development, but also because it left behind telltale mistakes. Unit 42 found several implementation flaws that suggest generated code was incorporated with limited manual review. Yet despite these defects, the botnet's core DDoS capabilities remained fully functional.

A New Multi-Architecture IoT Threat

Behind the AI story is a functional IoT botnet built to compromise internet-connected Linux devices.

TuxBot combines a C-based bot with a Go-based command-and-control (C2) server capable of generating payloads for 17 processor architectures, including ARM, MIPS, PowerPC, RISC-V, SPARC and x86-64. That broad architecture support allows attackers to target everything from home routers and IP cameras to DVRs and other embedded systems using a single framework.

To infect internet-exposed devices, TuxBot relies on a familiar combination of techniques. It performs Telnet brute-force attacks using 1,496 default and vendor-specific username and password combinations, while also scanning for exposed SSH services, HTTP interfaces, Android Debug Bridge (ADB) instances and known vulnerabilities.

How TuxBot Stays on Compromised Devices

Once a device is compromised, TuxBot focuses on remaining there.

According to Unit 42, the malware establishes persistence through multiple mechanisms, including disguised system services, cron jobs, shell profile modifications, hidden backup copies and watchdog processes. It can also rename itself to resemble legitimate Linux daemons and actively remove competing botnets from infected devices.

Built for DDoS operations

Although the analysed build contained several unfinished or broken components, its primary mission was never in doubt.

The malware supports UDP, TCP and DNS flooding, while communicating with its operators over encrypted TCP connections. To improve resilience, it can also fall back to domain generation algorithms (DGA), DNS and peer-to-peer communication if its primary command-and-control infrastructure becomes unavailable.

Researchers also uncovered an SSH-accessible management panel that allowed operators to monitor infected devices and launch attacks. The accompanying development environment contained hundreds of automated benchmark reports, suggesting the framework underwent extensive testing before appearing in the wild.

AI Makes Malware Development Faster

Perhaps the most interesting lesson from TuxBot is that AI-assisted malware development is already producing real operational tools.

The same generated code that appears to have accelerated development also introduced broken communication channels, incomplete attack modules and even an authentication component that claimed to implement Argon2id without actually doing so. Those mistakes did not stop the malware from operating, however, and obviously, they could be corrected quickly in future versions.

For operators, TuxBot offers an early look at what is likely to become a broader trend: malware authors using LLMs to develop all kinds of tools faster than before.