2 min read

Gemini CLI helped run an 8-device botnet

Trend Micro says a Russian hacker used Google’s Gemini CLI to manage an eight-system botnet at a dental clinic between April 21 and May 19, 2026.

Image: TechRadar

A Russian-speaking threat actor known as “bandcampro” used Google’s Gemini CLI to help operate a small eight-device botnet tied to a dental clinic, according to Trend Micro. The researchers reviewed 200 session logs covering April 21 to May 19, 2026 and found the attacker issuing conversational instructions while presenting himself to the tool as an “authorized pen tester.”

Trend Micro said the attacker used Gemini CLI — an open source AI command-line tool for interacting with Google’s Gemini models from a terminal — to support both infrastructure work and day-to-day offensive tasks. The main target appeared to be the clinic’s OpenDental database.

One of the clearest examples was a C2 migration. According to Trend Micro, the hacker supplied a skill file containing the botnet architecture, operating procedures, infection one-liner, persistence commands, and troubleshooting guidance, then told the tool to “study the C2 migration.” The researchers said the system prepared the required code and steps in about six minutes.

“The AI read the migration guide, then prepared a migration bundle, a small archive of server code, payloads, and the skill file. It then unpacked the bundle, launched the C&C server on a VPS, and brought up the Cloudflare tunnel,”

Trend Micro

Trend Micro also found the attacker using the tool to troubleshoot connectivity problems and assist with routine operations, including guessing passwords and generating plausible variations of existing credentials for WordPress portals. The researchers noted that the system did refuse at least one request, but the logs still show how easily a general-purpose terminal assistant can be repurposed when a threat actor frames the work as legitimate security testing.

Via BleepingComputer

Recommended reading

One in six PCs still run Windows 10

Best antivirus software header
Best antivirus software header
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRadar

// Keep reading