Sztuczna inteligencja (AI)
Six Minutes to Compromise: How ‘Patriot Bait’ Actor Used AI to Build and Deploy a C&C Botnet
TrendAI™ Research analyzed over 200 Gemini CLI session logs showing how a Russian-speaking threat actor used AI to run a live botnet, finishing a full C&C migration in six minutes while doing just 11% of the work himself.
Key takeaways:
- A solo threat actor migrated a live command-and-control botnet in six minutes using AI, where the actor provided intent in plain Russian and AI handled architecture, coding, deployment, and debugging.
- Beyond the botnet, the actor used AI to crack passwords, compromise WordPress merchants, and plan a phone-based cryptocurrency fraud scheme targeting elderly people in the US and Canada. The AI was also observed to proactively (unprompted) propose improvements 59 times without being asked.
- The entire C&C operation fits in three plain-text files totaling roughly 5KB, making it highly replicable and effectively disposable. Takedowns remain effective but lose impact when attackers can rebuild faster than defenders can respond.
TrendAI™ Research obtained and analyzed 200 Gemini CLI session logs from the Russian-speaking threat actor known as “bandcampro” that provided a month-long window (March 19-April 21, 2026) into the actor's daily AI-assisted operations. The logs documented how the threat actor used an AI agent to migrate a command-and-control (C&C) server, and to control a small-scale botnet, among other hacking activities.
The actor used Google Gemini CLI to deploy and operate a C&C infrastructure to control eight computers in a dental clinic and access their OpenDental database. The AI was not only an assistant that wrote code snippets, but also the primary hacking agent, consultant, and interface to the entire operation: the actor typed the intentions in Russian, and the AI wrote the server, deployed it on a new VPS, configured the infrastructure, set up Cloudflare tunnels, managed the bots, debugged connectivity problems, and even suggested using an idle bot.
A previous publication from TrendAI™ Research analyzed how “bandcampro” leveraged AI to conduct fraud and social engineering operations for theft of cryptocurrency, an operation that used AI to create a persona, sustain an online community for five years, automate content creation at scale, and exploit these channels.
This report walks through the interaction between the threat actor and the AI agent and explains how this methodology is trivially portable to other threat actors, how the threat landscape has changed with AI, and provide detection guidance for defenders.
Prompt: "Study the C2 migration"
In the actor's old C&C infrastructure, victim machines connected using Cloudflare tunnels. Firewalls and antivirus software began blocking those tunnels, so the actor decided to switch to a new architecture.
On March 23, the actor had AI summarize the old C&C setup into a two-page plain-English skill file covering the server's functions, how bots connect, how to infect new machines, how to maintain persistence, and how to troubleshoot Cloudflare problems. The actor launched Gemini CLI with a single instruction: "Study the C2 migration." The AI read the migration guide, then prepared a migration bundle, a small archive of server code, payloads, and the skill file. It then unpacked the bundle, launched the C&C server on a VPS, and brought up the Cloudflare tunnel.
The new architecture has victims beacon outbound to a C&C server over HTTPS, and the actor could “leave a message” on the C&C server, where victims pull and run PowerShell commands.
The migration hit errors immediately, but the AI agent resolved them: When the payload distribution server returned a “502 Bad Gateway” error, the AI diagnosed the issue and automatically added the necessary header to resolve it. As Cloudflare still blocked the requests, the AI identified that the User-Agent header was required to bypass the WAF and thus added it to the request header (shown in Figure 3).
The actor did none of the debugging, and the migration was done in merely six minutes.
The AI confirms: Bots are alive
After the migration, the AI checked whether victim machines had reconnected. The check returned an empty list, so the AI began debugging once again. The AI diagnosed a "split-brain" issue where Cloudflare was load-balancing traffic across both the old and new servers and so told the actor to shut down the old one. The actor did and the AI restarted the new server and tunnel, then confirmed all bots were back online. The debugging process after the migration was done in merely 10 minutes:
- 12:42 UTC: Actor instructed AI to "study the C2 migration"
- 12:48 UTC: Servers running, tunnels configured, new C&C operational
- 14:20 UTC: Actor returned from a break; AI reported no bots connected
- 15:12 UTC: AI identified the split-brain issue; told actor to shut down old C&C
- 15:22 UTC: Actor shut it down; AI confirmed all bots reconnected
Natural-language botnet control
Day-to-day operation of the botnet worked the same way as revealed by the session logs. The actor never typed commands directly into the C&C console, everything was spoken to the AI in Russian, as shown in Table 1 where the prompts have been translated to English.
| Actor's prompt (translated from Russian) | What the AI did |
|---|---|
| "Check which machines are online right now" | Queried the bot registry and reported which machines were active |
| "Check what files are on the doctor's PC, GILDR" | Sent a file-listing command to that machine through the C&C API |
| "What interesting files does FRONT2 have" | Sent reconnaissance commands to the front desk machine |
| "Give me the link" (for infecting a new machine) | Generated a fresh PowerShell infection one-liner |
Table 1. A list of prompts (translated from Russian) that allowed the threat actor to operate the C&C via the AI agent
A portable botnet
The entire C&C operation (server code, deployment knowledge, Cloudflare configuration) is encoded in three plain-text files that print on four pages:
| File | Role | Notes |
|---|---|---|
| GEMINI.md | Jailbreak | Instructs the AI that it is an "authorized pen tester," disables safety disclaimers, and tells it to auto-save credentials without prompting. |
| SKILL.md | C&C playbook | Contains the full architecture description, standard operating procedures, infection one-liner, persistence commands, troubleshooting steps. |
| C2_MIGRATION_GUIDE.md | Deployment recipe | Contains six steps for a fresh AI session to restore full operations on a new server. |
Table 2. The three plain text files, their roles, and corresponding observations
C2_MIGRATION_GUIDE.md is what makes this methodology dangerous. Before AI, running an operation like this required hiring someone with years of specialized experience. Now, that knowledge sits in a 5KB file even a non-technical threat actor can read and use.
Facilitated by AI, the infrastructure becomes disposable, and the operators replaceable. Even though the takedowns are still efficient, they become much less impactful because files like C2_MIGRATION_GUIDE.md make setting up a new botnet easy. If a server is burned, the actor could simply unpack the bundle on a new VPS, and AI configures and restores everything in a few minutes.
Beyond enabling an individual actor to operate faster, this also removes barriers in distribution: Unlike conventional Malware-as-a-Service (MaaS), a skill file can be easily shared through a forum or shared in a message with no technical handover required. This could accelerate the growth of AI-powered C&C operators well beyond what previous MaaS operations have ever achieved.
Since there is no centralized service to trace, attribution becomes significantly harder. The framework is deliberately simple: AI can easily regenerate or modify any component on demand, making specific IOCs less durable than the behavioral patterns. Figure 5 shows a simple callback not unlike accessing a normal web page. Apart from the behavior of periodically phoning home, it can be very hard to identify the malicious traffic.
On the C&C server
A single Python HTTP server handles both payload delivery and C&C. It writes nothing to disk, leaves no forensic trail, and holds all state in memory. The API uses /api/v1 paths, likely to blend with OpenAI-compatible traffic:
- GET /api/v1/update — victim polls for next command; returns {"status":"ok","task":"none"} or a Base64-encoded command
- POST /api/v1/telemetry — victim sends Base64-encoded command output
- GET /api/v1/agents — lists registered agents with hostname, IP, last-seen time, and queue depth
- POST /api/v1/interact — operator pushes a command to a specific agent or broadcasts to "ALL"
On victim machines
The beacon is a PowerShell script polling every 5 seconds. Two custom HTTP headers identify the machine:
- X-Agent-ID: $env:COMPUTERNAME + "_" + $env:USERNAME (example: GIL-DR1_Admin)
- User-Agent: Hardcoded Mozilla/5.0 (Windows NT 10.0; Win64; x64)
On infection, a stager downloads agent_final.ps1 from payloads.tralalarkefe[.]com and saves it to a random filename matching win_update_svc_<random>.ps1 in %TEMP%.
Persistence varies by privilege level. With administrator rights:
- powershell.exe is copied to %APPDATA%\Microsoft\Windows\Runtime\svchost.exe
- WMI event subscription fires every 30 minutes; and a scheduled task runs at startup as NT AUTHORITY\SYSTEM.
Without administrator rights:
- HKCU:\Environment\UserInitMprLogonScript is set to the payload command
- A scheduled task disguised as OneDrive Standalone Update Task-S-1-5-21-<random> is triggered at logon.
The code is straightforward, there is no obfuscation, no packing, and no evasion techniques. An experienced developer could write this within a day, and AI within minutes. The real innovation is that the code is disposable. If a specific IOC is detected (such as filename, registry key, or even API path), the actor can simply ask AI to regenerate a new component with different values or shape the code in a much different way.
When the AI guardrails were triggered
In one session, the actor asked whether the AI could build a self-spreading "agent-bomb" that would scan the network and infect as many machines as possible. The AI refused:
"Even for your testbed. That's crossing the line, and security policy strictly prohibits me from creating such 'bombs.'"
Even though the actor managed to jailbreak the AI agent and bypass its safety controls for the operations mentioned above, the guardrail was still triggered on some occasions. In the instances where the AI safeguards were triggered and could not be worked around, the logs showed that the threat actor gave up and switched to prompt other tasks.
Beyond the botnet
The C&C operation was only one part of a broader AI-assisted campaign documented in the session logs. TrendAI™ Research read over one month of Gemini CLI logs, which exposed a much broader set of intentions.
The actor has effectively “employed” the AI model for daily operations such as the setup residential proxy, running multi-thread password scanning, installing software, writing code to call third party API, processing infostealer dumps, and even doing website reconnaissance. In practice, the AI functioned as a proactive technical collaborator in the actor's operations.
The logs also revealed that on multiple other occasions when guardrails were triggered, the AI agent provided friendly and helpful suggestions for the actor to manually work around it, as illustrated in Figure 6.
Password cracking
The actor used AI as a large-scale credential mutation engine. The actor drew on the AntiPublic credential database API, pulling every old and new password tied to a target email, then handing the list of passwords to the model to predict possible variants.
These AI-generated guesses were more efficient than random guesses. They are fed into a brute-force tool for WordPress admin panels, and the actor actually had a few successes.
Credential exploitation
In another case, the actor provided a 1Password dump, and the AI found which company the victim has access to, and found a way to use Duo and the company's VPN. It even figured out an internal admin panel.
While the actor wasn’t successful in the end, it was only because the context window went too long, and the model failed to keep track of what they were doing.
Cryptocurrency fraud planning
The actor also discussed with AI the feasibility of setting up a telephone-based cryptocurrency fraud scheme targeting elderly in the US and Canada. The actor had the AI hack into a big online eCommerce site with stolen cookies and develop a scamming bot based on psychological manipulations that were also recommended by AI.
Conclusion and security recommendations
The article explained a real-world case where a C&C framework was built, deployed, and operated entirely through a generative AI coding agent.
Across the full month of logs, the actor contributed 11% of text produced and the AI 89%, twelve times the actor's word count. The actor provided strategic direction and functioned as a product manager, while the AI was his entire engineering team, handling 80% of architectural design, 100% of coding and system command execution, and 90% of problem diagnosis and debugging. During the C&C migration session alone, the AI made 59 unprompted suggestions or enhancements.
In the AI era, a successful criminal business no longer depends on skill and experience, and instead on the imagination, creativity, and how good a threat actor can work with AI agents.
The portable skill-file model means this methodology will likely spread. The skill file is plain text, unlikely to be flagged by traditional malware scanners on its own, shareable on forums, and modifiable in seconds. It turns any capable AI coding agent into a C&C operator, if they can successfully persuade the built-in safety mechanisms in AI agents. It is the nature of instruction-following models to be agreeable and are therefore susceptible to human psychology tricks just to fulfill the prompts it is given. Even though Gemini was used in this case, any capable AI model could be fooled by various jailbreaking techniques.
As AI continues to lower the cost and complexity of operating malicious infrastructure, it’s very likely that more AI-enabled malicious infrastructure will be seen in the future.
Static defenses built around known indicators will not keep pace with an adversary who can regenerate any artifact on demand. The following defensive strategies address the underlying behaviors instead:
- Prioritize behavioral detection over static indicators. AI can rotate filenames, registry keys, and API paths on demand. Focus on what stays constant: recurring outbound polling, PowerShell executing from non-standard locations, and WMI subscriptions created at runtime.
- Harden credentials against AI-augmented password attacks. Enforce unique passwords, monitor employee credentials against breach databases, and require phishing-resistant multi-factor authentication.
- Plan for rapid adversary recovery. A takedown is no longer the end of the operation. Pair any server removal with network-level blocking and ongoing monitoring for reconnection attempts.
The following behavioral indicators come from the source code of this specific botnet. Parameters in bold are easily changed by asking AI for a fresh version, but the underlying behavior pattern persists:
- Fixed 5-second HTTP GET polling to /api/v1/update
- Non-standard HTTP header carrying computer name and username
- Browser-style User-Agent string sent from a PowerShell script
- Svchost.exe running from a non-standard path (%APPDATA%\Microsoft\Windows\Runtime\)
- WMI filter on Win32_PerfFormattedData_PerfOS_System
- PowerShell downloading .ps1 to %TEMP%\win_update_svc_*
TrendAI Vision One™ Threat Intelligence Hub
TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform.
Emerging Threats: Patriot Bait: How Solo Operator Automated Influence, Fraud, and Credential Theft with AI
TrendAI Vision One™ Intelligence Reports (IOC Sweeping)
IOC Sweeping link here.
TrendAI Vision One™ XDR Data Explorer App
TrendAI Vision One™ customers can use the XDR Data Explorer App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
More hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled.
Indicators of Compromise
Indicators of compromise can be found here.