TuxBot v3 Evolution (Akiru) Framework Analysis

    Monday, June 1, 2026 In: Threat Research Print

    Date: 06/01/2026

    Severity: High

    Summary

    TUXBOT V3 Evolution, also known as Akiru, is a previously undocumented modular IoT botnet framework designed for large-scale device compromise and DDoS-for-hire operations. The framework targets multiple IoT device families through vulnerability exploitation and extensive Telnet brute-forcing, supporting numerous hardware architectures and encrypted C2 communications. Analysis of the recovered source code and infrastructure links the botnet to the broader Keksec/AISURU ecosystem, revealing a mature platform capable of scanning, exploitation, persistence, and DDoS attacks, while also containing unfinished features intended for future expansion.

    Indicators of Compromise (IOC) List 

    Domains/URLs

    jetross.com

    digikalas.online

    IP Address

    209.182.237.133

    185.10.68.127

    45.145.185.229

    107.174.133.119

    194.46.59.169

    188.166.2.226

    Hash

    71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d

    511d3ffb4091cbcc94571d9fb3102e8cb424c6e187d01d53ff12078d54929bda

    6aa4034dc7a2858094ff4dc59af07d6fe31119591e41599bcc0f3d0b516ee734

    6b7a8e0c96c2318e747f074f9a99d26738700769ac01bba692d19fc884847737

    146f6010f6ee082aab13e0148d39baefa77eaba4ff65817b511b08c2092bdfd2

    bd6431fb06e4689142ef597cf00382e38ae20a5393a4d9277e45a3f5b3cbcff9

    a03b0d41f5ef03328150331ffa0ed970998883f7e0343d79b2d3b95330d8e7c1

    eb2fa179fde2f097c18d5d700ad87d660fc238ee14cbe5477032e60856859621

    a8d70d16509e227d8306be361bc37a3dc9fe34bf476f51e361e55e6d293c2b3f

    0f8bcca3ed65e980da2a1f90a767b7d543be32eeea3e9338d09d4d635a497988

    96b1f96efca3b9df2dea85678d60da27e3265b4a00e39e20e64b27bb985e1561

    c7a36d6b8128c41f93a32413675401a10a2b5769b221bbaa8c5c309585b73ceb

    246c97957651de568e61eba1abe572f0b0f960456209995d43d53a0d7cc494a1

    3ec016d637e4c9cd331edd2580a229621ad638e924a4aa29ac0342e9144ace19

    2f2c3551762c03da126e45dca6fc2f997c63f0f1bfc21fd0ceed680ac6f083ce

    9cd5e7e3c8bad321ef6c3d47fe25b3b56e9487f703a7eeee52db4067e6bafe61

    e3a5296e762e9ee16010399666441d663beeea956382e97cca032a6a5ad06811

    f1efb78887bb8783d7781c07cd13b53c9c79ebe5baa81f335838d0a6e73dec7e

    f324a45fcd2a9db4e542c09486c21b08bc42d6bf76fbd5f17871090361b10815

    15c17dce89deccd5172285b2650de957918aa1157cde8e4633ae15dfe31f2711

    CVEs

    CVE-2013-7471

    CVE-2014-8361  

    CVE-2014-2321    

    CVE-2017-17215   

    CVE-2017-18377   

    CVE-2018-10561 

    CVE-2018-10562  

    CVE-2018-20062   

    CVE-2020-17456

    CVE-2022-30525   

    CVE-2023-39780   

    CVE-2025-34037 

    CVE-2026-5815

    CVE-2007-3010    

    CVE-2007-5693    

    CVE-2016-11021   

    CVE-2020-5722    

    CVE-2020-8515    

    CVE-2021-25646    

    CVE-2021-4045    

    CVE-2022-1388    

    CVE-2022-22947   

    CVE-2022-22965   

    CVE-2022-44877   

    CVE-2023-1389

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    sha256hash IN ("71dfbb171eca4ef9d02ff630b56e5283bbef7b375d4dbe9e8c9531bef312fa8d","511d3ffb4091cbcc94571d9fb3102e8cb424c6e187d01d53ff12078d54929bda","6aa4034dc7a2858094ff4dc59af07d6fe31119591e41599bcc0f3d0b516ee734","6b7a8e0c96c2318e747f074f9a99d26738700769ac01bba692d19fc884847737","146f6010f6ee082aab13e0148d39baefa77eaba4ff65817b511b08c2092bdfd","bd6431fb06e4689142ef597cf00382e38ae20a5393a4d9277e45a3f5b3cbcff9","a03b0d41f5ef03328150331ffa0ed970998883f7e0343d79b2d3b95330d8e7c1","eb2fa179fde2f097c18d5d700ad87d660fc238ee14cbe5477032e60856859621","a8d70d16509e227d8306be361bc37a3dc9fe34bf476f51e361e55e6d293c2b3f","0f8bcca3ed65e980da2a1f90a767b7d543be32eeea3e9338d09d4d635a497988","96b1f96efca3b9df2dea85678d60da27e3265b4a00e39e20e64b27bb985e1561","c7a36d6b8128c41f93a32413675401a10a2b5769b221bbaa8c5c309585b73ceb","246c97957651de568e61eba1abe572f0b0f960456209995d43d53a0d7cc494a1","3ec016d637e4c9cd331edd2580a229621ad638e924a4aa29ac0342e9144ace19","2f2c3551762c03da126e45dca6fc2f997c63f0f1bfc21fd0ceed680ac6f083ce","9cd5e7e3c8bad321ef6c3d47fe25b3b56e9487f703a7eeee52db4067e6bafe61","e3a5296e762e9ee16010399666441d663beeea956382e97cca032a6a5ad06811","f1efb78887bb8783d7781c07cd13b53c9c79ebe5baa81f335838d0a6e73dec7e","f324a45fcd2a9db4e542c09486c21b08bc42d6bf76fbd5f17871090361b10815","15c17dce89deccd5172285b2650de957918aa1157cde8e4633ae15dfe31f2711")

    Detection Query 2 :

    dstipaddress IN ("45.145.185.229","107.174.133.119","185.10.68.127","194.46.59.169","209.182.237.133","188.166.2.226") or srcipaddress IN ("45.145.185.229","107.174.133.119","185.10.68.127","194.46.59.169","209.182.237.133","188.166.2.226")

    Detection Query 3 :

    domainname like "jetross.com" or siteurl like "jetross.com" or url like "jetross.com" or domainname like "digikalas.online" or siteurl like "digikalas.online" or url like "digikalas.online"

    Reference:    

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-05-28-TuxBot-v3-Evolution-Framework-Analysis.txt                     


    Tags

    MalwareVulnerabilityBotnetDDoS AttacksExploitation

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.