Dateline: July 16, 2026
Fake Argon2id, Dead Exploits, and a Live C2: Unpacking TuxBot v3
Somebody asked a chatbot to help write a botnet. The chatbot said yes. It also stapled a legal disclaimer to the top of every file. The developer never noticed.
What Happened?
The researchers recovered two things from the wild. First, a full source archive: 61 C++ files, 58 headers, a custom compiler, a virtual machine, Docker Compose test setups, and 254 automated DDoS benchmark reports. Second, a compiled bot binary, hidden with a dot prefix inside the QEMU test folder, uploaded to VirusTotal on January 20, 2026.
The framework itself is ambitious. A C bot agent that cross compiles to 17 architectures, everything from ARM and MIPS to RISC-V and IBM S/390. A Go based command and control server running a DDoS for hire panel with user quotas and a MariaDB backend.
Encrypted TCP as the primary channel, plus five fallbacks including a SHA-512 domain generation algorithm producing 20 domains a day and peer to peer gossip signed with Ed25519. Infected machines print “Infected By Akiru” to the console.
And it is about 70% broken.
The developer leaned on an LLM to write C modules, port exploits, and build the C2 server. The LLM’s raw thinking is still sitting in the comments. Lines like “Wait, where is the command?” and “I created them so I should know?” Human developers do not talk to themselves in code comments.
The bugs follow. A single byte typo in an XOR key, 0x4F where the offline encryption tool still used 0xAF, silently corrupts nine string table entries. That kills the IRC fallback, the HTTP fallback, and four exploit payloads. The custom exploit VM expects a file magic value of “EXPL” but the compiler writes “TUXE,” so the whole 27 exploit package never loads.
Sixteen more exploits covering 13 CVEs are compiled in and never called by anything. And the C2 authentication module claims to use Argon2id password hashing, complete with the right output format, while actually running PBKDF2 style loops underneath. The LLM hallucinated the crypto and formatted the lie convincingly.
What’s the Impact?
The operator has the source. Six new production builds turned up in internal telemetry in April 2026, compiled with GCC 14.2.0, none of them on VirusTotal. The live C2 in Singapore presents an SSH banner that does not match the source code, which means the deployed build already differs from what researchers recovered.
What works right now still hurts. Telnet brute forcing with 1,496 credential pairs. SSH, HTTP, and ADB scanners. UDP, TCP, and DNS floods. Seven persistence mechanisms including a fake sd-pam systemd service. Anti-VM scoring that checks for Ghidra, IDA, and Wireshark. A competitor killer that hunts down Mirai and QBOT and takes their ports.
The dropper at 185.10.68[.]127 also serves Kaitori v3.9 binaries and shares a TLS certificate with the C2. That puts TuxBot inside the Keksec and AISURU orbit, which is not a place hobbyists live.
The bigger point: one person with a chatbot produced a multi architecture botnet with encrypted C2, a DGA, P2P resilience, and a rental panel. The barrier used to be skill. Now it is patience.
How to Avoid This
- Change default Telnet and SSH credentials on every device, including the ones nobody owns anymore. That 1,496 pair list works because those pairs still work.
- Close Telnet. Port 23 has no business being open in 2026.
- Put IoT and OT devices on their own network segment. A camera should not be able to reach your file server.
- Watch for outbound traffic to odd ports, 1999, 31337, 13337, and for DNS TXT queries that make no sense.
- Patch the boring old CVEs. The dead exploit code targets flaws from 2013 and 2014 because those devices are still online.