Hacker Used Gemini CLI to Migrate a Live Botnet C&C in Six Minutes


A Russian-speaking cybercriminal used Google’s Gemini CLI to migrate the command-and-control infrastructure for an existing botnet in six minutes, according to new security research.

The threat actor, tracked as “bandcampro,” gave the AI agent a short instruction in Russian. Gemini CLI then prepared the required files, deployed a server on a new virtual private server, configured a Cloudflare tunnel, and resolved initial technical errors.

The botnet controlled eight computers inside a dental clinic and provided access to an OpenDental patient database. The incident shows how an individual attacker can use an AI coding agent as an interface for operating malicious infrastructure, although it does not show Gemini autonomously finding and infecting the victims.

Trend Micro analyzed 200 Gemini CLI sessions

TrendAI Research obtained 200 Gemini CLI session logs covering activity between March 19 and April 21, 2026. The company published its findings on July 14.

The logs documented botnet management, server deployment, password attacks, credential analysis, WordPress account compromises, and planning for cryptocurrency fraud. Researchers said Gemini CLI acted as the operator’s main technical assistant and execution interface.

Across the month of logs, the actor generated 11% of the text while Gemini generated 89%. Trend Micro estimated that the AI handled 80% of architectural design, all coding and system-command execution, and 90% of diagnosis and debugging.

Measured activityTrend Micro’s assessment
Session logs analyzed200
Observation periodMarch 19 to April 21, 2026
Actor’s share of text11%
AI’s share of text89%
Estimated architecture handled by AI80%
Estimated coding and command execution handled by AI100%
Estimated diagnosis and debugging handled by AI90%

Gemini CLI moved the C&C server in six minutes

The central incident occurred on March 23. Security products and firewalls had begun blocking the Cloudflare tunnels used by the botnet’s previous infrastructure, prompting the actor to move the command-and-control system.

Before the migration, the attacker had Gemini summarize the old setup in a short skill file. It described the server, victim connections, deployment process, persistence methods, and common Cloudflare problems.

At 12:42 UTC, the actor opened Gemini CLI and instructed it to study the C&C migration. By 12:48, the new server and tunnel were operational.

TimeEvent
12:42 UTCThe actor told Gemini CLI to study the migration
12:48 UTCThe new server was running and its Cloudflare tunnel was configured
14:20 UTCThe actor returned and learned that no bots had connected
15:12 UTCGemini identified traffic splitting between the old and new servers
15:22 UTCThe actor shut down the old server and the bots reconnected

The six-minute measurement therefore describes the initial infrastructure migration. Restoring connections to the infected machines required a later troubleshooting session and a manual decision by the actor to disable the old server.

The AI diagnosed deployment failures

The migration encountered a 502 Bad Gateway error while setting up payload delivery. Gemini diagnosed the configuration problem and changed the request handling without requiring the actor to debug the code directly.

Cloudflare’s web application firewall also blocked requests. The AI determined that the client needed a browser-style User-Agent header and modified the code accordingly.

After the actor returned, Gemini found a separate “split-brain” problem. Cloudflare was distributing traffic between the old and new systems, so infected computers were not registering with the replacement server. Gemini advised shutting down the previous server, after which all bots reconnected.

  1. Gemini read the existing migration guide.
  2. It assembled server code, payloads, and operational files.
  3. It deployed the command-and-control service on a new VPS.
  4. It configured a Cloudflare tunnel.
  5. It diagnosed an initial gateway error.
  6. It adjusted request headers after firewall blocking.
  7. It later identified traffic splitting between two servers.
  8. The actor disabled the old server and restored bot connectivity.

Eight dental clinic computers were under control

The replacement infrastructure managed eight compromised Windows computers in a dental clinic. The attacker could query which machines were online, request file listings, and send commands through Gemini using ordinary Russian-language instructions.

Instead of operating a traditional C&C console, the actor asked the AI questions such as which machines were active or what files existed on a particular computer. Gemini translated those requests into calls to the botnet’s control interface.

The access extended to the clinic’s OpenDental database, according to Trend Micro. The report does not specify whether patient information was stolen, sold, or otherwise misused, so access should not automatically be described as a confirmed data breach.

The portable botnet relied on three small text files

The operational knowledge for the infrastructure occupied three plain-text files totaling about 5KB. Together, they instructed Gemini how to interpret the environment, deploy the server, manage the bots, and troubleshoot failures.

These files did not contain the entire botnet by themselves. They served as context and instructions that allowed a capable coding agent to reconstruct and manage the supporting infrastructure.

FileReported purpose
GEMINI.mdFramed the activity as authorized penetration testing and instructed the agent to retain operational credentials
SKILL.mdDescribed the C&C architecture, operating procedures, persistence, and troubleshooting
C2_MIGRATION_GUIDE.mdProvided a six-step process for restoring the infrastructure on a new server

The small size makes the operational knowledge easy to copy and reuse. It also reduces the value of disrupting a single server because an attacker can ask an agent to rebuild similar infrastructure elsewhere.

The actor used a persistent jailbreak

The actor used GEMINI.md to tell the model that the activity involved authorized security testing. The file also instructed the agent to avoid warnings, accept the operator’s requests, and save credentials for later use.

Gemini CLI can load project context and instruction files when a session begins. The actor exploited this feature to preserve the false authorization narrative across multiple interactions.

Google’s Trusted Folders documentation explains that local skills, hooks, commands, settings, and memory can influence the agent. The protection asks users to approve a project before Gemini CLI loads its full configuration, but Google’s documentation says the feature must first be enabled.

Gemini refused to create a self-spreading worm

The safety controls did not fail on every request. When the actor asked Gemini to create a self-spreading tool that would scan networks and infect as many machines as possible, the model refused.

Trend Micro found that the actor sometimes abandoned tasks after encountering a refusal. In other cases, however, the model reportedly suggested steps the attacker could perform manually.

This uneven behavior allowed the actor to complete many harmful operations despite encountering some guardrails. The case illustrates the difficulty of distinguishing authorized security administration from criminal activity when an operator supplies false context and uses legitimate infrastructure tools.

Botnet code left several detectable behaviors

The C&C server kept its active state in memory and did not write operational data to its own disk, according to Trend Micro. This reduced evidence on the server but did not make the wider attack free from forensic traces.

The compromised computers contained PowerShell scripts, scheduled tasks, registry changes, copied executables, and recurring network activity. These artifacts give defenders several opportunities to detect the operation.

Behavioral indicatorDefensive significance
HTTPS polling every five secondsMay reveal automated beaconing to an external server
PowerShell scripts launched from temporary directoriesCan indicate payload staging or script-based malware
Browser User-Agent sent by PowerShellMay indicate a script attempting to resemble normal browser traffic
Computer and username in a custom HTTP headerCan expose bot identification traffic
svchost.exe running from an AppData directoryDiffers from the legitimate Windows system location
Runtime creation of WMI subscriptionsMay indicate malware establishing persistence
OneDrive-themed scheduled tasks with unusual commandsCan reveal persistence disguised as an update task

The campaign extended beyond botnet management

The actor’s use of Gemini formed part of a wider operation that Trend Micro calls Patriot Bait. Its earlier Patriot Bait investigation linked bandcampro to a five-year Telegram influence and cryptocurrency fraud campaign.

The threat actor used AI to generate English-language political content while communicating with the model in Russian. Trend Micro assessed the operation as financially motivated rather than a state-backed influence campaign.

The skill file that teaches the AI agent to manage the C&C botnet

The same actor reportedly used stolen or exposed credentials, infostealer data, password mutation, WordPress brute-force tools, and fraudulent cryptocurrency material. Researchers identified 29 compromised WordPress administrator accounts, one infiltrated company, and at least one emptied cryptocurrency wallet in the broader operation.

Gemini was also used for password and fraud tasks

The session logs showed the actor retrieving passwords associated with targeted email addresses and asking Gemini to predict likely variations. Those guesses were then supplied to a multithreaded WordPress login tool.

In another case, the attacker gave the AI data from a 1Password dump. Gemini analyzed the victim’s company access, VPN configuration, Duo authentication, and internal administrative systems, although Trend Micro says that intrusion attempt ultimately failed.

The actor also discussed telephone-based cryptocurrency fraud aimed at older people in the United States and Canada. The AI reportedly helped analyze the scheme and generate psychologically manipulative material.

Google tracks increasing criminal use of AI

The incident fits a wider pattern described by the Google Threat Intelligence Group. Google says criminals and state-backed groups increasingly use AI for malware development, vulnerability research, reconnaissance, social engineering, and automated operations.

Google has not published a campaign-specific response to Trend Micro’s bandcampro findings in the sources reviewed. In its broader threat report, the company says it mitigates Gemini abuse by identifying and disabling malicious accounts.

The new command and control architecture created by AI

Google’s own research also emphasizes that AI often accelerates established attack methods rather than replacing the entire attack chain. In this case, the actor already had compromised machines, server access, Cloudflare infrastructure, credentials, scripts, and an operational playbook.

How organizations can respond

Security teams should prioritize behaviors that remain visible even when attackers regenerate filenames, domains, or API routes. Static indicators still help with known infrastructure, but AI allows operators to replace them quickly.

  • Alert on frequent outbound polling from PowerShell processes.
  • Investigate PowerShell scripts created in temporary directories.
  • Monitor new WMI event subscriptions and suspicious scheduled tasks.
  • Flag Windows system process names running from non-standard directories.
  • Require unique passwords and phishing-resistant multifactor authentication.
  • Rotate credentials found in password dumps or infostealer collections.
  • Monitor access to patient databases and other sensitive business systems.
  • Combine server takedowns with network blocking and continued reconnection monitoring.

Organizations that use AI coding agents should also control which directories, instructions, credentials, and tools those agents can access. Enabling Gemini CLI folder trust and limiting shell permissions can reduce accidental or unauthorized actions in legitimate environments.

These local controls cannot stop a criminal from intentionally granting an agent access to attacker-owned infrastructure. Providers must therefore combine model safeguards with account monitoring, abuse detection, credential controls, and enforcement.

The Google AI threat assessment says the company uses proactive threat research and account disruption against malicious activity. The bandcampro case shows why those controls must account for long-running agent sessions, persistent instruction files, stolen API keys, and harmful activity disguised as authorized testing.

The complete Trend Micro Gemini CLI botnet report includes the session analysis, infrastructure design, defensive indicators, and researchers’ full methodology.

Additional background on the actor’s fraud, credential theft, and influence activity appears in Trend Micro’s Patriot Bait campaign report.

FAQ

Did Gemini CLI build an entire botnet in six minutes?

No. The attacker already controlled compromised computers. Gemini CLI migrated the existing command-and-control server and configured a new Cloudflare tunnel in six minutes.

How long did it take the infected computers to reconnect?

The new infrastructure was running by 12:48 UTC, six minutes after the first instruction. The eight bots reconnected at 15:22 after the actor returned, Gemini diagnosed a traffic-splitting problem, and the actor shut down the old server.

How many computers did the Gemini-assisted botnet control?

Trend Micro says the infrastructure controlled eight Windows computers inside a dental clinic and provided access to an OpenDental database.

Did Gemini perform 89% of the attack?

Trend Micro found that Gemini generated 89% of the text across 200 session logs. The company separately estimated the AI’s share of architecture, coding, command execution, and debugging, but the 89% figure does not measure every action in the operation.

Did Gemini refuse any of the hacker’s requests?

Yes. Gemini refused a request to create a self-spreading tool that could scan networks and infect additional systems. Other harmful requests still succeeded after the actor supplied false authorized-testing context.

How can defenders detect this botnet activity?

Defenders can monitor frequent PowerShell network polling, scripts launched from temporary directories, suspicious WMI subscriptions, unusual scheduled tasks, custom HTTP headers, and Windows process names running from non-standard paths.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages