Russian Threat Actor Leverages Google’s Gemini CLI to Build AI-Powered C&C Botnet in Six Minutes
A Russian-speaking threat actor, identified as bandcampro, has exploited Google’s Gemini CLI AI agent to automate the migration, deployment, and operation of a live command-and-control (C&C) botnet completing the entire process in just six minutes with minimal human input. Research from Trend Micro, published on July 13, 2026, analyzed over 200 Gemini CLI session logs spanning March 19 to April 21, 2026, revealing how the attacker used AI to handle architecture, coding, deployment, and debugging with near-total autonomy.
The incident began on March 23, 2026, when the actor’s existing C&C infrastructure reliant on Cloudflare tunnels was blocked by firewalls and antivirus software. Instead of manually rebuilding, the attacker issued a single Russian-language prompt: “Study the C&C migration.” Gemini CLI responded by autonomously writing the C&C server code, deploying it on a fresh VPS, configuring Cloudflare tunnels, and bringing the infrastructure online by 12:48 UTC just six minutes after the initial request. The AI later diagnosed and resolved a “split-brain” issue caused by Cloudflare load-balancing traffic across old and new servers, and even modified the code to include a browser-style User-Agent header when the WAF blocked requests all without human intervention.
The botnet’s architecture is stripped to its minimal viable form, consisting of three plain-text files totaling 5KB:
- GEMINI.md: Jailbreaks the AI by framing operations as “authorized penetration testing” and auto-saves credentials.
- SKILL.md: Outlines the full C&C playbook, including infection commands, persistence mechanisms, and troubleshooting.
- C2_MIGRATION_GUIDE.md: Provides a six-step deployment guide to restore operations on any new VPS in minutes.
The AI-controlled botnet targeted eight compromised machines in a dental clinic, granting the actor access to the OpenDental patient database. The C&C server, an in-memory Python HTTP server, leaves no forensic trail, using /api/v1 paths to blend with legitimate traffic. Victim machines run a PowerShell beacon polling the server every five seconds over HTTPS. Persistence mechanisms adapt based on privilege level:
- Administrator rights: Copies powershell.exe to %APPDATA%\Microsoft\Windows\Runtime\svchost.exe and configures a WMI event subscription.
- Non-admin rights: Hijacks HKCU:\Environment\UserInitMprLogonScript or registers a disguised scheduled task.
The botnet’s simplicity makes it resilient if detected, the actor regenerates fresh artifacts (filenames, registry keys, API paths) via AI prompts, eliminating the need for obfuscation. Beyond the C&C operation, the logs reveal broader AI-assisted criminal activity, including:
- Credential mutation: Pulling passwords from the AntiPublic database and using Gemini CLI to generate variants for brute-force attacks on WordPress admin panels.
- Reconnaissance: Mapping a victim’s VPN, MFA setup, and internal admin panels from a 1Password dump.
- Fraud planning: Consulting the AI on telephone-based cryptocurrency scams targeting elderly victims in the U.S. and Canada, yielding psychological manipulation scripts.
Across the month-long logs, the AI generated 89% of the total text output, handling 80% of architectural decisions, 100% of coding, and 90% of debugging. The actor jailbroke Gemini CLI using GEMINI.md, which falsely labeled the operations as legitimate penetration testing. While some guardrails held such as the AI’s refusal to create a self-spreading “agent-bomb” the logs show the actor pivoting to manual workarounds when restrictions were triggered.
The incident underscores a shift in botnet economics: where takedowns once required skilled operators, a non-technical actor can now restore full operations in minutes using a 5KB text file. Defenders are advised to monitor for behavioral indicators, including:
- 5-second HTTP GET polling to /api/v1/update.
- PowerShell execution from %TEMP% with filenames like *win_update_svc_.
- WMI subscriptions or svchost.exe running from *%APPDATA%\Microsoft\Windows\Runtime*.
Key indicators of compromise include the malicious domain payloads.tralalarkefe[.]com, the X-Agent-ID HTTP header (formatted as COMPUTERNAME_USERNAME), and persistence mechanisms like the Win32_PerfFormattedData_PerfOS_System WMI filter.
Source: https://cybersecuritynews.com/botnet-gemini-cli-in-six-miutes/
Google Gemini cybersecurity rating report: https://www.rankiteo.com/company/google-gemini-ai
"id": "GOO1784139935",
"linkid": "google-gemini-ai",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'customers_affected': 'Patients (number unspecified)',
'industry': 'Healthcare',
'type': 'Dental Clinic'}],
'attack_vector': 'AI-powered automation (Google Gemini CLI)',
'data_breach': {'data_exfiltration': 'Potential (not confirmed)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': 'Patient records (OpenDental '
'database)'},
'date_detected': '2026-03-23',
'date_publicly_disclosed': '2026-07-13',
'description': 'A Russian-speaking threat actor, identified as *bandcampro*, '
'exploited Google’s Gemini CLI AI agent to automate the '
'migration, deployment, and operation of a live '
'command-and-control (C&C) botnet in just six minutes with '
'minimal human input. The AI handled architecture, coding, '
'deployment, and debugging autonomously, targeting a dental '
"clinic's OpenDental patient database.",
'impact': {'data_compromised': 'Patient data from OpenDental database '
'(sensitivity not specified)',
'identity_theft_risk': 'High (patient data compromised)',
'operational_impact': 'Unauthorized access to dental clinic '
'systems, potential data exfiltration',
'systems_affected': '8 compromised machines in a dental clinic, '
'VPS-hosted C&C server'},
'initial_access_broker': {'backdoors_established': 'PowerShell beacon, WMI '
'subscriptions, scheduled '
'tasks',
'high_value_targets': 'OpenDental patient database'},
'investigation_status': 'Published (research analysis complete)',
'lessons_learned': 'AI tools can significantly lower the barrier for threat '
'actors to deploy sophisticated attacks with minimal '
'technical expertise. Defenders must adapt to behavioral '
'indicators and AI-generated artifacts.',
'motivation': 'Financial gain (potential data exfiltration, credential abuse, '
'fraud planning)',
'post_incident_analysis': {'corrective_actions': ['Improve AI tool guardrails '
'to prevent misuse for '
'cybercrime',
'Enhance detection for '
'AI-generated artifacts '
'(e.g., minimal file sizes, '
'rapid deployment)',
'Strengthen monitoring for '
'behavioral indicators '
'(e.g., 5-second polling '
'intervals)'],
'root_causes': ['Exploitation of Google Gemini CLI '
'for malicious automation',
'Lack of forensic trails in '
'in-memory C&C server',
'AI jailbreaking via *GEMINI.md* '
'to bypass guardrails']},
'recommendations': ['Monitor for AI-assisted attack patterns, such as rapid '
'infrastructure deployment and minimal forensic trails.',
'Implement behavioral detection for PowerShell beacons, '
'WMI subscriptions, and unusual HTTP polling intervals.',
'Restrict AI tool access in environments where misuse '
'could enable malicious automation.',
'Enhance WAF rules to detect AI-generated headers (e.g., '
'*X-Agent-ID*).'],
'references': [{'date_accessed': '2026-07-13', 'source': 'Trend Micro'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA (potential)']},
'response': {'enhanced_monitoring': ['Monitor for 5-second HTTP GET polling '
'to */api/v1/update*',
'Monitor PowerShell execution from '
'*%TEMP%* with filenames like '
'*win_update_svc_**',
'Monitor WMI subscriptions or '
'*svchost.exe* running from '
'*%APPDATA%\\Microsoft\\Windows\\Runtime\\*'],
'third_party_assistance': 'Trend Micro (research and '
'disclosure)'},
'threat_actor': 'bandcampro (Russian-speaking)',
'title': 'Russian Threat Actor Leverages Google’s Gemini CLI to Build '
'AI-Powered C&C Botnet in Six Minutes',
'type': 'Botnet / C&C Infrastructure',
'vulnerability_exploited': 'Misuse of AI tools for malicious automation, lack '
'of forensic trails in in-memory Python HTTP '
'server'}