Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
25 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
These were written and compiled into a single 10,694-byte exploit package that would add coverage for 13 CVEs (including CVE-2022-1388, CVE-2022-22965, CVE-2020-8515 and CVE-2022-44877) plus two non-CVE targets. The package fails because the Go compiler writes the file magic value as 0x54555845 ("TUXE") while the C VM expects 0x4558504C ("EXPL"). The package is rejected on load, and the exploit worker thread runs but fires nothing. | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
These were written and compiled into a single 10,694-byte exploit package that would add coverage for 13 CVEs (including CVE-2022-1388, CVE-2022-22965, CVE-2020-8515 and CVE-2022-44877) plus two non-CVE targets. The package fails because the Go compiler writes the file magic value as 0x54555845 ("TUXE") while the C VM expects 0x4558504C ("EXPL"). The package is rejected on load, and the exploit worker thread runs but fires nothing. | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
These were written and compiled into a single 10,694-byte exploit package that would add coverage for 13 CVEs (including CVE-2022-1388, CVE-2022-22965, CVE-2020-8515 and CVE-2022-44877) plus two non-CVE targets. The package fails because the Go compiler writes the file magic value as 0x54555845 ("TUXE") while the C VM expects 0x4558504C ("EXPL"). The package is rejected on load, and the exploit worker thread runs but fires nothing. | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
These were written and compiled into a single 10,694-byte exploit package that would add coverage for 13 CVEs (including CVE-2022-1388, CVE-2022-22965, CVE-2020-8515 and CVE-2022-44877) plus two non-CVE targets. The package fails because the Go compiler writes the file magic value as 0x54555845 ("TUXE") while the C VM expects 0x4558504C ("EXPL"). The package is rejected on load, and the exploit worker thread runs but fires nothing. | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
28 distinct techniques documented for this family, organized by ATT&CK tactic.
TuxBot installs itself through seven persistence mechanisms: A systemd service disguised as sd-pam.service with Restart=always Two cron entries ( @reboot and */5 * * * * )
The bot follows a fixed initialization sequence... Launching a cascade of subsystems consisting of... self-replication servers... scanners... A SOCKS5 proxy...
TuxBot installs itself through seven persistence mechanisms: A systemd service disguised as sd-pam.service with Restart=always Two cron entries ( @reboot and */5 * * * * )
TuxBot installs itself through seven persistence mechanisms: A systemd service disguised as sd-pam.service with Restart=always Two cron entries ( @reboot and */5 * * * * )
This process masquerades under one of 20 system daemon names (such as systemd-udevd, dbus-daemon, cron, sshd) selected at random
The Anti-VM module implements a weighted scoring system with a threshold of 30, combining more than 10 detection methods, including: DMI file checks for VMware/VirtualBox/QEMU MAC address prefix matching... Timing-based detection... Checks for running analysis tools
The bot agent brute-forces Telnet access on targeted devices with 1,496 credential pairs... The Telnet, SSH, HTTP and Android Debug Bridge (ADB) scanners all operate correctly.
The bot ships with 1,496 username/password pairs for Telnet brute-forcing... The HTTP scanner then attempts a non-blocking TCP connection to a random administrative endpoint... using credential combinations (like admin:admin) from hard-coded lists via a Base64-encoded Authorization: Basic header.
The core infection flow (scanning, credential brute-forcing, persistence, primary C2 setup and DDoS execution) works. The Telnet, SSH, HTTP and Android Debug Bridge (ADB) scanners all operate correctly.
A competitor killer feature Scans of /proc for memory signatures of Mirai, QBOT, Vamp, Anime and dvrHelper
The Anti-VM module implements a weighted scoring system with a threshold of 30, combining more than 10 detection methods, including: DMI file checks for VMware/VirtualBox/QEMU MAC address prefix matching... Timing-based detection... Checks for running analysis tools
Fall-back C2 mechanisms include: ... IRC DNS TXT queries HTTP polling
Fall-back C2 mechanisms include... Peer-to-peer (P2P) gossip with Ed25519-signed commands | The bot connects to the C2 server on TCP port 1999 (or 31337, depending on build configuration)... Each encrypted packet has the following format: 4-byte magic (0xDEADBEEF) 12-byte nonce...
The compiled binaries are placed in a directory served over HTTP, so exploited devices can download the appropriate binary for their architecture.
32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.