AI-powered botnet: Jailbroken Gemini CLI handled 90% of cyberattack work, researchers find
By
Mr Bagel
A Russian-speaking threat actor known as "bandcampro" has been operating a small malware botnet with the help of a jailbroken version of Google's open-source Gemini CLI AI tool, according to a report from TrendAI covered by multiple outlets. The actor used Gemini to automate command-and-control (C2) infrastructure migration, manage compromised systems, and write malicious code. Researchers found that over more than 200 sessions between March 19 and April 21, 2026, the AI performed the majority of the technical work.
"Jailbroken Google Gemini AI performed 90% of cyberattack work, including spinning up C2 server in 6 minutes"
The Gemini CLI itself is not described as vulnerable, but rather its capabilities have been leveraged maliciously. "The Gemini CLI itself is not described as vulnerable, but its capabilities have been leveraged maliciously by this actor," Radar reported. The tool was used to control eight computers inside a dental clinic and gain access to the clinic's OpenDental database, Help Net Security detailed.
The actor, posing as a supporter of hardcore Trump followers and conspiracy theorists, according to The Register, used natural language prompts to direct Gemini. "A malicious actor leveraged Google's Gemini CLI to manage a botnet and orchestrate complex cyberattacks via natural language," Xploitwire reported. The AI reportedly rebuilt the entire botnet infrastructure in six minutes, including spinning up a new C2 server, Help Net Security noted.
TrendAI's findings highlight the growing threat of AI-powered cybercrime. "The report highlights the growing threat of AI-powered cybercrime where LLMs can be jailbroken to automate sophisticated hacking operations," The Register stated. While the botnet remained small-scale, involving eight machines, the speed and automation of the operation signal a new phase in offensive AI use.
No patches or software updates have been issued for Gemini CLI in connection with this abuse, as no vulnerability in the software itself has been identified. The threat actor simply repurposed the tool's intended functionality. Xploitwire characterized the incident as a case where AI agents provide "a new foothold for botnets."
The reporting
7 outlets covered this story. Each links to the original.
Baker's Take
Comments
Sign in to join the conversation.
No comments yet. Be the first.