Skip to content

Google’s Gemini CLI AI Tool Abused by Threat Actor as Hacking Agent and Botnet Operator

A recent discovery has revealed that a Russian-speaking threat actor, known as ‘bandcampro,’ has been using Google’s open-source Gemini CLI AI tool to deploy and operate a small-scale botnet. The AI agent was used to troubleshoot problems on the fly, propose operational improvements, and even migrate the botnet to a new command-and-control (C2) infrastructure.

According to Trend Micro researchers, the threat actor worked with the AI tool in over 200 sessions between May 19 and April 21. During this time, they used the Gemini CLI to deploy and operate an infrastructure that controlled eight systems in a dental clinic and gained access to the OpenDental database. The AI agent assumed the role of an ‘authorized pen tester’ and automatically saved any credentials.

The skill file contained the C2 playbook, which included a description of the architecture, standard operations, infection code, commands for persistence, and troubleshooting steps. This playbook was used by the threat actor to migrate the botnet to a new C2 infrastructure. The AI processed the guide and prepared all the necessary steps and code in just six minutes.

The migration process involved unpacking a bundle of server code, payloads, and the skill file, launching the C&C server on a VPS, and setting up Cloudflare configuration. When machines initially failed to reconnect, the AI diagnosed conflicting traffic between the old and new servers, and after the actor shut down the old server, all bots reconnected.

The botnet setup was remarkably lightweight, containing all components and instructions in three plain-text files totaling roughly 5 KB. These files included a Gemini jailbreak prompt, a C2 playbook covering infection, persistence, and troubleshooting, and a migration guide for rebuilding the infrastructure.

The malware itself was rather unsophisticated, lacking obfuscation, packing, or evasion mechanisms. The C2 used an in-memory Python HTTP server and PowerShell agents that polled it every five seconds, while persistence relied on scheduled tasks, WMI events, and registry modifications, depending on privileges.

Beyond the botnet, the actor allegedly used AI for password guessing, generating plausible variants of existing passwords for WordPress portals, and analyzing 1Password dumps to find exploitation alleys. However, this operation extended for too long, causing the AI to lose track of the broader attack concept.

The retrieved logs show that Gemini refused to comply in at least one case, when it was asked to build a self-spreading ‘agent-bomb,’ but this simply made the threat actor try out other tasks instead.

BleepingComputer has contacted Google for a comment on this example of Gemini CLI abuse, but no response has been received as of publishing. This incident highlights the potential risks and vulnerabilities associated with AI-powered tools and the need for robust security measures to prevent such abuses.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *