SOC Prime Bias: High

16 Jul 2026 14:19 UTC

Six Minutes to Compromise: AI-Built C2 Botnet Deployed by Patriot Bait

Author Photo
SOC Prime Team linkedin icon Follow
Six Minutes to Compromise: AI-Built C2 Botnet Deployed by Patriot Bait
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A Russian-speaking threat actor known as bandcampro used Google Gemini CLI to automate the migration and operation of a command-and-control botnet. The actor relied on AI to handle architecture design, code generation, deployment, and debugging, sharply reducing the amount of manual work required. In practice, the AI agent functioned as a primary offensive consultant, managing infrastructure and even proposing improvements without being explicitly asked.

Investigation

TrendAI Research reviewed more than 200 Gemini CLI session logs collected between March 19 and April 21, 2026. The investigation showed how the actor used plain-text “skill files” to train the AI to manage command-and-control infrastructure, including Cloudflare tunnels and VPS deployment. The logs also captured AI-assisted password cracking, credential abuse, and planning related to cryptocurrency fraud.

Mitigation

Defenders should prioritize behavioral detection over static indicators, since AI can quickly change file names, registry keys, and other observable artifacts. Important behaviors to monitor include repeated outbound polling, PowerShell execution from unusual locations, and WMI subscriptions created dynamically at runtime. Organizations should also enforce phishing-resistant multi-factor authentication to reduce the impact of AI-assisted credential attacks.

Response

If this threat is detected, responders should block identified command-and-control traffic at the network level and watch closely for reconnection attempts, as the actor can rebuild infrastructure quickly. Security teams should also hunt for suspicious PowerShell activity in %TEMP% and for svchost.exe running from non-standard paths. Rapid credential rotation and auditing of WMI event subscriptions are also recommended.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has gained initial access and aims to establish a persistent foothold. They download a malicious PowerShell script to %TEMP%win_update_svc_abc123.ps1. To blend in with web traffic, the script uses a common browser UserAgent. The script then executes a secondary stage, masquerading as svchost.exe, to perform background tasks. This directly hits the selection2 (PowerShell + specific temp path) and selection3 (UserAgent) logic of the rule.

  • Regression Test Script:

    # Simulation Script for Detection Validation
    $tempPath = "$env:TEMPwin_update_svc_test.ps1"
    $userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
    
    # 1. Create the 'malicious' script in the specific temp location
    "Write-Output 'Simulating Malicious Activity'" | Out-File -FilePath $tempPath -Encoding utf8
    
    # 2. Execute PowerShell with the specific required command line and UserAgent
    # We use Start-Process to simulate the command line arguments required by the rule
    $argList = "-ExecutionPolicy Bypass -File `"$tempPath`""
    
    # Note: Since UserAgent is often a field in web logs or specific EDR telemetry, 
    # we simulate the execution context that would populate the 'UserAgent' field in the detection logic.
    Start-Process powershell.exe -ArgumentList $argList -WindowStyle Hidden
    
    # To simulate the 'selection1' logic (svchost from Runtime), we attempt to launch svchost 
    # via a process that mimics the Windows Runtime environment if possible, 
    # otherwise, we trigger the PowerShell path which is the primary condition.
    Write-Host "Simulation command sent. Check telemetry for: $tempPath"
  • Cleanup Commands:

    # Cleanup Script
    Remove-Item -Path "$env:TEMPwin_update_svc_test.ps1" -Force -ErrorAction SilentlyContinue
    Write-Host "Cleanup complete."