TuxBot v3 Evolution is a modular Internet-of-Things botnet framework designed to compromise exposed Linux-based devices, particularly embedded systems such as routers, cameras, and similar internet-connected appliances, and conscript them into distributed denial-of-service operations. The framework includes a C-based multi-architecture bot and a Go-based command-and-control backend, with support for a broad range of processor architectures used in IoT environments.
Its infection and propagation logic combines multiple access methods, including Telnet credential brute-forcing, SSH scanning, HTTP probing of administrative interfaces, Android Debug Bridge scanning, and exploitation attempts against vulnerable device families. Core operational functions observed at high confidence include scanning, credential attacks, encrypted command-and-control communications, persistence, process masquerading, and several UDP, TCP, and DNS flooding capabilities. The malware also includes routines to identify and remove competing botnet malware from infected devices.
TuxBot v3 Evolution is built for resilience. In addition to a primary encrypted TCP command channel, it implements fallback command-and-control mechanisms such as domain-generation and peer-to-peer communications, with additional alternate channels present in some builds. Persistence mechanisms include installation as a disguised system service, cron-based relaunch, shell-profile modification, hidden backup copies, watchdog-style keepalive behavior, and repeated binary relocation. Anti-analysis and defense-evasion features include anti-debugging, anti-virtual-machine checks, and process-name spoofing.
The framework shows lineage and infrastructure overlap with activity associated with the Keksec ecosystem and related Kaitori and AISURU operations, although available evidence supports infrastructure reuse and ecosystem association rather than confirmed code identity. TuxBot also reuses elements from established IoT botnet tradecraft and incorporates portions derived from the open-source MHDDoS toolkit. Analysis of recovered builds indicates that some components were partially nonfunctional, but the malware’s core botnet, propagation, persistence, and DDoS features were operational, making it a credible threat to exposed Linux-based IoT environments.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
25 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
These were written and compiled into a single 10,694-byte exploit package that would add coverage for 13 CVEs (including CVE-2022-1388, CVE-2022-22965, CVE-2020-8515 and CVE-2022-44877) plus two non-CVE targets. The package fails because the Go compiler writes the file magic value as 0x54555845 ("TUXE") while the C VM expects 0x4558504C ("EXPL"). The package is rejected on load, and the exploit worker thread runs but fires nothing. | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
These were written and compiled into a single 10,694-byte exploit package that would add coverage for 13 CVEs (including CVE-2022-1388, CVE-2022-22965, CVE-2020-8515 and CVE-2022-44877) plus two non-CVE targets. The package fails because the Go compiler writes the file magic value as 0x54555845 ("TUXE") while the C VM expects 0x4558504C ("EXPL"). The package is rejected on load, and the exploit worker thread runs but fires nothing. | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
These were written and compiled into a single 10,694-byte exploit package that would add coverage for 13 CVEs (including CVE-2022-1388, CVE-2022-22965, CVE-2020-8515 and CVE-2022-44877) plus two non-CVE targets. The package fails because the Go compiler writes the file magic value as 0x54555845 ("TUXE") while the C VM expects 0x4558504C ("EXPL"). The package is rejected on load, and the exploit worker thread runs but fires nothing. | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
These were written and compiled into a single 10,694-byte exploit package that would add coverage for 13 CVEs (including CVE-2022-1388, CVE-2022-22965, CVE-2020-8515 and CVE-2022-44877) plus two non-CVE targets. The package fails because the Go compiler writes the file magic value as 0x54555845 ("TUXE") while the C VM expects 0x4558504C ("EXPL"). The package is rejected on load, and the exploit worker thread runs but fires nothing. | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Completely Broken (exploit VM magic mismatch, never executes): CVE-2007-3010 ... CVE-2025-34117 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
Exploited CVEs Implemented but never called at runtime: CVE-2013-7471 ... CVE-2026-5815 | We identified a previously undocumented modular internet-of-things (IoT) botnet framework named TuxBot v3 Evolution.
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A newly identified IoT botnet framework, TuxBot v3 Evolution, is targeting internet-connected devices and turning compromised systems into tools for distributed denial-of-service attacks.
A newly identified IoT botnet framework, TuxBot v3 Evolution, is targeting internet-connected devices and turning compromised systems into tools for distributed denial-of-service attacks.
A newly identified IoT botnet framework, TuxBot v3 Evolution, is targeting internet-connected devices and turning compromised systems into tools for distributed denial-of-service attacks.
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Once installed, the bot attempts to remain on a device through a disguised system service, cron jobs
Persistence, on the other hand, is accomplished by means of a systemd service, cron entries, and a watchdog keepalive process
The bot follows a fixed initialization sequence... Launching a cascade of subsystems consisting of... self-replication servers... scanners... A SOCKS5 proxy...
Once installed, the bot attempts to remain on a device through a disguised system service, cron jobs
Persistence, on the other hand, is accomplished by means of a systemd service, cron entries, and a watchdog keepalive process
Once installed, the bot attempts to remain on a device through a disguised system service
Once installed, the bot attempts to remain on a device through a disguised system service, cron jobs
Persistence, on the other hand, is accomplished by means of a systemd service, cron entries, and a watchdog keepalive process
search for rival malware, removing competing botnet infections from the same device
Setting up anti-debugging and anti-VM protections that check for running analysis tools
TuxBot uses several paths to gain access, including Telnet password guessing... Its Telnet module alone carries 1,496 username and password combinations, many of them default or vendor-specific credentials
The bot ships with 1,496 username/password pairs for Telnet brute-forcing... The HTTP scanner then attempts a non-blocking TCP connection to a random administrative endpoint... using credential combinations (like admin:admin) from hard-coded lists via a Base64-encoded Authorization: Basic header.
TuxBot uses several paths to gain access, including Telnet password guessing, SSH scanning, HTTP-based probing, Android Debug Bridge scanning
A competitor killer feature Scans of /proc for memory signatures of Mirai, QBOT, Vamp, Anime and dvrHelper
while resorting to ... DNS TXT queries, and HTTP polling as a fallback mechanism
while resorting to ... Internet Relay Chat (IRC) ... as a fallback mechanism
can fall back on domain-generation and peer-to-peer mechanisms if the primary server becomes unavailable
Fall-back C2 mechanisms include: A SHA512 domain generation algorithm (DGA)
32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular IoT botnet framework targeting exposed Linux-based devices such as routers and cameras. It spreads via Telnet password guessing, SSH scanning, HTTP probing, ADB scanning, and exploitation attempts; supports many CPU architectures; uses encrypted C2 with fallback mechanisms; establishes persistence; removes rival malware; and conducts UDP, TCP, and DNS flooding for managed DDoS operations.
An IoT botnet framework with a C-based bot agent and Go-based C2 server. It brute-forces Telnet credentials, includes exploit code for more than 30 IoT device families, uses encrypted TCP plus fallback C2 channels including DGA, P2P, IRC, DNS TXT, and HTTP polling, and supports DDoS, scanning, persistence, proxying, and a cryptocurrency mining placeholder.
A modular IoT botnet framework with a C-based bot and Go-based C2 server. It brute-forces Telnet with 1,496 credential pairs, includes SSH/HTTP/ADB scanners, supports encrypted TCP C2 plus DGA/P2P fallback channels, installs persistence, kills competing malware, and executes DDoS attacks across multiple architectures.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.