We recently analyzed a sophisticated Linux malware sample (SHA-256: 8471257186db7db30d74816409fa09a09898ee099e7e0d1ad015546975e53a8f) that marks a significant evolution in the cybercrime landscape. This Python-based botnet is not just another cryptojacking script. It is a fully modular, multi-vector worm capable of deploying a custom Extended Berkeley Packet Filter (eBPF) rootkit, establishing a decentralized P2P mesh network, and aggressively eliminating rival gangs.

The code analysis strongly suggests this malware was not hand-coded line-by-line but rather "architected" by an AI. The code contains distinct artifacts—specifically "gamification" comments and scoring systems—that indicate the author likely prompted an LLM to build an advanced stealth malware. This confirms a long-held security hypothesis: AI is lowering the barrier to entry for advanced tradecraft, allowing actors to deploy nation-state-grade techniques like eBPF rootkits without deeply understanding the underlying kernel mechanics.

Intelligence from GitHub indicates this code has been in the wild for at least three months, utilizing public repositories for payload delivery.

Key Findings

• AI-Generated Origins: The source code is riddled with comments assigning "points" to features (e.g., COMPLETE STEALTH SYSTEM - 100/100 SCORE ), a hallmark of LLM outputs prompted with specific constraints or "games."

• Kernel-Level Stealth (eBPF): The malware compiles C code on-the-fly to hook sys_getdents64 and network syscalls, effectively making its processes and ports invisible to standard Linux auditing tools.

• Internet-Scale Propagation: It integrates a MasscanAcquisitionManager to download or compile masscan on the victim machine, enabling it to fast scan IPv4 range for Redis (6379) and SSH (22) targets in minutes.

• Decentralized Command & Control: It builds a resilient Peer-to-Peer (P2P) mesh network using encrypted JSON messages over TCP/UDP, removing the single point of failure found in traditional C2 domains.

• "Rival Killer" Module: It aggressively sanitizes the infected host, killing processes from known competitors (like Kinsing or TeamTNT) and patching the very vulnerabilities it used to enter.

Detailed Analysis

1. The AI "Smoking Gun"

Human malware authors typically do not grade their own code in the comments. The most unique aspect of this sample is the presence of "scoring" artifacts left behind by the LLM generation process. The author likely used a prompt structure similar to "Write a stealth module that achieves a 100/100 evasion score."

Artifacts from the code:

class ComprehensiveLogEraser:

"""

COMPLETE LOG SANITIZATION SYSTEM - +5 POINTS

Eliminates ALL forensic traces from system logs

"""

class EnhancedSecurityBypass:

"""

COMPREHENSIVE SECURITY BYPASS - +2 POINTS

Handles SELinux enforcing, AppArmor strict, seccomp containers

"""

These comments are functionally useless for the code but vital for the "game" the prompter was playing with the AI.

2. Network Scanning & Propagation

The malware features a highly aggressive propagation module designed to turn every infected host into a scanner. It doesn't just rely on slow Python sockets; it brings its own industrial-grade tools.

• Tool Acquisition: The MasscanAcquisitionManager class attempts to acquire the masscan binary using six different strategies. It tries to find it locally, compile it from source (checking for GCC and Make), download static binaries from GitHub/Catbox, or even request it from other peers in the P2P network.
• Target Generation: The InternetShardManager divides the entire IPv4 address space into "shards." This ensures that different infected bots don't scan the same IP ranges, maximizing the botnet's total coverage. It specifically prioritizes high-value cloud IP ranges (AWS, GCP, Azure).
• Lateral Movement:
• SSH Spreader: If port 22 is open, it uses a built-in SSHSpreader with a list of 30+ common credentials (root/root, admin/123456) to brute-force access. If successful, it uses SFTP to upload the payload.
• Redis Exploiter: For port 6379, it attempts to gain code execution. Crucially, if it detects Redis 7.0+ (which protects the CONFIG command), it switches to an "alternative" method: writing the payload into a cron job via standard key-value writes, hoping for a server reboot or misconfiguration to trigger it.

Code Snippet: Smart Sharding Logic

class InternetShardManager:
    # High-value priority ranges (cloud providers + CDNs)
    PRIORITY_RANGES = [
        ("3.0.0.0/8", "AWS US-EAST-1"),
        ("35.184.0.0/13", "GCP US-CENTRAL1"),
        ("13.64.0.0/11", "Azure US-EAST"),
        # ...
    ] 

3. Kernel-Level Evasion (eBPF)

The malware includes a full C source code payload embedded within the Python script. If the victim is running a compatible kernel (4.15+), it uses the BPF Compiler Collection (BCC) to compile this rootkit in memory.

It hooks sys_getdents64 (Get Directory Entries), which is the syscall tool like ‘ls’ uses to list files. The hook filters out any file matching the malware's inode, making it invisible to the user.

Code Snippet: The Hook Logic

# The malware embeds C code directly into Python strings
GETDENTS_COMPLETE_CODE = r"""
// Hook getdents64 syscall
int hook_getdents64(struct pt_regs *ctx) {
    // ... setup ...
    // Check if inode is in hidden list
    u8 *hidden = hidden_inodes.lookup(&ino);
    if (hidden) {
        // This file should be hidden
        // Move remaining entries to overwrite this one
        // ... memory shifting logic ...
    }
}
"""

4. The "Unkillable" P2P Network

Rather than phoning home to a single C2 server that can be blacklisted, the malware turns every infected victim into a node in a mesh network using the ModularP2PManager class.

• Encryption: All P2P traffic is encrypted using Fernet (AES-128) with a key derived from the node ID, preventing defenders from easily sniffing commands.
• Resilience: It maintains a "Dead Man's Switch." If the P2P network fails or critical files are removed, a background thread triggers a full re-download from the hardcoded GitHub repositories.

5. Persistence & Defense (The "Rival Killer")

The malware treats the infected host as its territory and aggressively defends it.

• Rival Killer V7: This module scans for and terminates processes associated with known competitors (e.g., xmrig variants from other gangs, kinsing) using signature matching. It kills based on process name, high resource usage (CPU > 70%), and connections to known mining pools.
• Immutable Files: It uses chattr +i to lock its own configuration files and binaries, preventing root users from easily deleting them.
• Anti-Forensics: The ComprehensiveLogEraser stops logging services (rsyslog, auditd), truncates logs (/var/log/wtmp, auth.log), and clears shell history to hinder incident response.

Conclusion: The "Script Kiddie" is Dead

This botnet is a prime example of how generative AI is shifting the threat landscape. Historically, writing a stable eBPF rootkit, a functional P2P mesh network, and an intelligent internet scanner required deep systems programming knowledge (C/C++, Network Engineering).

With this sample, we see that high-level architectural prompts—"Write me a P2P botnet with eBPF stealth and Masscan integration that gets a 100/100 score"—can generate functional, dangerous code. The attacker didn't need to know how to write a sys_getdents64 hook; they just needed to know enough to ask for it.