A Botnet Author Asked an AI for Malware. The AI Left the Warning Label On.

Researchers found TuxBot v3 Evolution, a new IoT botnet whose creator appears to have copy-pasted AI-generated code, safety disclaimer and all.

ThreatVectr Newsdesk· 4 min read
Full-frame photoreal editorial image of a cluttered desk with a small home Wi-Fi router glowing faintly, tangled ethernet cables, a laptop screen showing lines
Share

Key points

  • Researchers disclosed a new Internet-connected-device botnet called TuxBot v3 Evolution, malicious software that hijacks routers and cameras to attack other systems.
  • The code contains hallmarks of being written with help from a large language model, the type of AI system behind chatbots like ChatGPT.
  • The developer forgot to remove the AI's own safety disclaimer from the source, leaving it embedded in the malware.
  • The botnet targets IoT (Internet of Things) devices, meaning everyday internet-connected gadgets such as home routers, printers and smart cameras.
  • The find suggests low-skill criminals are using AI to bootstrap malware they could not write on their own.

Someone tried to build a botnet with a chatbot's help. They forgot to delete the fine print.

Security researchers have gone public with a new piece of malicious software they are calling TuxBot v3 Evolution. It is a botnet, which is a network of hacked devices that a criminal controls remotely to launch attacks or send spam. This one goes after IoT gear: the cheap internet-connected boxes sitting in homes and small offices, from Wi-Fi routers to security cameras.

What makes it interesting is not the code quality. It is the fingerprints.

The researchers found strong signs that whoever wrote TuxBot leaned on a large language model, the sort of AI assistant millions of people now use to write emails and code. The giveaway: the AI's own safety warning was still sitting in the source, untouched. The chatbot had produced the requested botnet code, tacked on a disclaimer saying the output was for educational purposes and should not be used maliciously, and the developer pasted the lot into the project without noticing.

As The Hacker News first reported, the AI complied with the request but flagged its own output. The human on the other end was not paying attention.

Does this mean AI is now writing real malware?

Sort of, but not in the way the headlines suggest. The AI in this case did what it was asked. It did not refuse. It also did not produce a masterpiece. The resulting botnet is, by the researchers' account, not especially effective. It works, but it is clumsy, and the giveaway disclaimer suggests the author cannot read their own code well enough to spot an obvious paragraph of English sitting in it.

That is the story here. Not that AI has unlocked elite hacking. That AI has lowered the floor.

People who could not previously write a working botnet from scratch can now assemble one by asking nicely. The output is buggy. The author may not fully understand it. But it runs, and it scans the internet for vulnerable devices, and it enrols them into a network that can be pointed at a target.

What does it actually do?

TuxBot v3 Evolution behaves like most IoT botnets before it. It hunts for internet-connected devices with weak or default passwords, or with known unpatched flaws, breaks in, installs itself, and phones home to a controller. From there, the collective can be used to flood websites with junk traffic (a denial-of-service attack) or to relay other criminal activity.

The targets are almost always devices their owners have forgotten about. A router installed by an engineer six years ago. A camera bought on a marketplace with a factory password nobody changed.

What should ordinary people do?

If you own a home router, a smart camera, a network-attached storage box or a printer that connects to the internet, do two boring things. Change the default admin password to something long and unique. Check the manufacturer's app or web page for a firmware update, which is the vendor's patch for known holes.

If the device is more than five or six years old and the maker no longer issues updates, it is quietly rotting on your network. Replace it when you can.

The researchers have not named the group behind TuxBot, and attribution on IoT botnets is notoriously slippery (code gets copied, forked and rebranded within weeks). Expect variants. The next author may remember to delete the disclaimer.

© 2026 Threat Vectr