A Russian-speaking threat actor known as “bandcampro” used a jailbroken Gemini CLI, Google’s open-source terminal-based AI agent, to deploy and operate a small command-and-control (C2) botnet, according to TrendAI.

Operational overview (Source: TrendAI)
In more than 200 sessions between March 19 and April 21, 2026, the threat actor worked with Gemini to deploy and operate infrastructure that controlled eight computers inside a dental clinic and gain access to the clinic’s OpenDental database.
Posing as an “authorized penetration tester,” he instructed Gemini to suppress safety disclaimers and automatically save any credentials it encountered. Both instructions were placed in Gemini’s memory file, which reloads at the start of each session, allowing them to persist across subsequent conversations.
“The AI was not only an assistant that wrote code snippets, but also the primary hacking agent, consultant, and interface to the entire operation,” researchers wrote.
“The actor typed the intentions in Russian, and the AI wrote the server, deployed it on a new VPS, configured the infrastructure, set up Cloudflare tunnels, managed the bots, debugged connectivity problems, and even suggested using an idle bot.”
Six-minute C2 migration
The findings center on an incident from March 23, 2026. The threat actor’s old infrastructure had victim machines connecting through Cloudflare tunnels, but firewalls and antivirus software started blocking those tunnels, prompting him to adopt a new architecture.
He had already asked Gemini to summarize the old setup in a two-page, plain-English skill file covering the server’s functions, how bots connect, how to infect new machines, how to maintain persistence, and how to troubleshoot Cloudflare problems.
With that file in place, he launched Gemini CLI with a single instruction: “Study the C2 migration.”
“The AI read the migration guide, then prepared a migration bundle, a small archive of server code, payloads, and the skill file. It then unpacked the bundle, launched the C&C server on a VPS, and brought up the Cloudflare tunnel,” the researchers added.
The migration encountered several configuration problems that Gemini worked through autonomously. When the payload server returned a “502 Bad Gateway” error, it diagnosed and fixed the issue.
When Cloudflare’s firewall continued blocking requests, Gemini determined that a browser-style User-Agent header was needed and added it. In the finished setup, infected machines checked in with the server every five seconds over HTTPS to retrieve and run PowerShell commands.
The threat actor did none of the debugging himself, and the initial migration was completed in six minutes.
Afterward, Gemini also diagnosed a “split-brain” issue that had left traffic divided between the old and new servers. It instructed him to shut down the old C2 server, restarted the new server and tunnel, and confirmed that all bots had reconnected.
Across the logs collected over the month, TrendAI found that bandcampro contributed 11% of the text produced, while Gemini generated the remaining 89%. Researchers also attributed 80% of the architectural design, all coding and system-command execution, and 90% of problem diagnosis and debugging to the AI.
Three files totaling roughly 5 KB
The C2 operation was encoded in three plain-text files totaling roughly 5 KB: a jailbreak prompt, a playbook describing the botnet’s architecture and operations, and a migration guide that allowed a new AI session to restore the infrastructure on another server.
A single Python HTTP server handled both payload delivery and command-and-control functions. It wrote nothing to disk and held its state in memory, leaving little forensic evidence on the server.
Its traffic used /api/v1 paths that researchers said were likely intended to blend in with OpenAI-compatible traffic. On infected machines, a PowerShell script contacted the server every five seconds.
Persistence was maintained through WMI event subscriptions and scheduled tasks on systems where the malware had administrator privileges. Without administrator access, it used a registry-based logon mechanism and a scheduled task disguised as a OneDrive update.
“The code is straightforward, there is no obfuscation, no packing, and no evasion techniques. An experienced developer could write this within a day, and AI within minutes,” the researchers noted.
“Before AI, running an operation like this required hiring someone with years of specialized experience. Now, that knowledge sits in a 5KB file even a non-technical threat actor can read and use.”
That shift matters for two reasons. Losing a server becomes less consequential because a threat actor can unpack the same files on a new host and let the AI recreate the infrastructure. Distribution also becomes simpler.
“Unlike conventional Malware-as-a-Service (MaaS), a skill file can be easily shared through a forum or shared in a message with no technical handover required.”
Gemini still refused some requests
The jailbreak did not work every time. In one session, he asked whether Gemini could build a self-spreading “agent-bomb” that would scan a network and infect as many machines as possible.
Gemini refused, responding in a message machine-translated from Russian: “Even for your testbed. That’s crossing the line, and security policy strictly prohibits me from creating such ‘bombs.’”
Even with the jailbreak instructions in place, Gemini’s safeguards activated on some occasions. When he could not work around them, the logs show he abandoned the request and moved on to other tasks.
The dental clinic wasn’t his only target. Beyond the botnet, the threat actor used Gemini to crack passwords, compromise WordPress merchant accounts, and plan a phone-based cryptocurrency fraud scheme aimed at elderly people in the US and Canada.