Palo Alto Networks Unit 42 reported on TuxBot v3 Evolution, a previously undocumented modular IoT botnet framework that can infect devices, maintain persistence, communicate over encrypted command-and-control channels, and launch distributed denial-of-service attacks across 17 CPU architectures. Researchers recovered the botnet’s source code, compiled binaries, Docker-based test infrastructure, and 254 DDoS benchmark reports, showing active development and testing into early 2026. The malware’s working capabilities include Telnet brute-forcing with 1,496 credentials, SSH, HTTP, and ADB scanning, plus fallback mechanisms such as a domain generation algorithm and peer-to-peer gossiping.
The report said the framework appears to have been developed with heavy LLM assistance, which introduced several implementation flaws, including a broken XOR string table, a nonfunctional exploit virtual machine, and a fake Argon2id routine that actually behaves like repeated SHA-256 hashing similar to PBKDF2. Despite those defects, Unit 42 assessed the botnet as operationally dangerous because its core infection and DDoS functions work, and the bugs are relatively easy to correct. Telemetry linked the malware to active infrastructure including a command-and-control server at 209.182.237[.]133 and a dropper at 185.10.68[.]127, with reported ties to the Keksec/Kaitori and AISURU ecosystems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Public and internal telemetry tied TuxBot v3 malware to active infrastructure, including a command-and-control server at 209.182.237[.]133 and a dropper at 185.10.68[.]127. The report also noted links between the framework and the Keksec/Kaitori and AISURU ecosystems.
Unit 42 reported recovering the full TuxBot v3 source code, compiled binaries, Docker-based test infrastructure, and 254 DDoS benchmark reports. The recovered materials indicate the botnet framework was under active development and testing through early 2026.
On its publication date, Unit 42 published an analysis of TuxBot v3 Evolution, describing it as a previously undocumented modular IoT botnet framework with working infection, persistence, encrypted C2, and DDoS capabilities across 17 CPU architectures. The report also highlighted multiple implementation flaws consistent with heavy LLM-assisted development.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.