Six Minutes to Compromise: How ‘Patriot Bait’ Actor Used AI to Build and Deploy a C&C Botnet

Even though the actor managed to jailbreak the AI agent and bypass its safety controls for the operations mentioned above, the guardrail was still triggered on some occasions.

Six Minutes to Compromise: How ‘Patriot Bait’ Actor Used AI to Build and Deploy a C&C Botnet

<div>Six Minutes to Compromise: How ‘Patriot Bait’ Actor Used AI to Build and Deploy a C&C Botnet</div>

Even though the actor managed to jailbreak the AI agent and bypass its safety controls for the operations mentioned above, the guardrail was still triggered on some occasions. In the instances where the AI safeguards were triggered and could not be worked around, the logs showed that the threat actor gave up and switched to prompt other tasks. 

Beyond the botnet

The C&C operation was only one part of a broader AI-assisted campaign documented in the session logs. TrendAI™ Research read over one month of Gemini CLI logs, which exposed a much broader set of intentions. 

The actor has effectively “employed” the AI model for daily operations such as the setup residential proxy, running multi-thread password scanning, installing software, writing code to call third party API, processing infostealer dumps, and even doing website reconnaissance. In practice, the AI functioned as a proactive technical collaborator in the actor’s operations. 

The logs also revealed that on multiple other occasions when guardrails were triggered, the AI agent provided friendly and helpful suggestions for the actor to manually work around it, as illustrated in Figure 6.

Password cracking

The actor used AI as a large-scale credential mutation engine. The actor drew on the AntiPublic credential database API, pulling every old and new password tied to a target email, then handing the list of passwords to the model to predict possible variants. 

These AI-generated guesses were more efficient than random guesses. They are fed into a brute-force tool for WordPress admin panels, and the actor actually had a few successes. 

Credential exploitation

In another case, the actor provided a 1Password dump, and the AI found which company the victim has access to,  and found a way to use Duo and the company’s VPN. It even figured out an internal admin panel. 

While the actor wasn’t successful in the end, it was only because the context window went too long, and the model failed to keep track of what they were doing. 

Cryptocurrency fraud planning

The actor also discussed with AI the feasibility of setting up a telephone-based cryptocurrency fraud scheme targeting elderly in the US and Canada. The actor had the AI hack into a big online eCommerce site with stolen cookies and develop a scamming bot based on psychological manipulations that were also recommended by AI. 

Conclusion and security recommendations

The article explained a real-world case where a C&C framework was built, deployed, and operated entirely through a generative AI coding agent. 

Across the full month of logs, the actor contributed 11% of text produced and the AI 89%, twelve times the actor’s word count. The actor provided strategic direction and functioned as a product manager, while the AI was his entire engineering team, handling 80% of architectural design, 100% of coding and system command execution, and 90% of problem diagnosis and debugging. During the C&C migration session alone, the AI made 59 unprompted suggestions or enhancements.

In the AI era, a successful criminal business no longer depends on skill and experience, and instead on the imagination, creativity, and how good a threat actor can work with AI agents. 

The portable skill-file model means this methodology will likely spread. The skill file is plain text, unlikely to be flagged by traditional malware scanners on its own, shareable on forums, and modifiable in seconds. It turns any capable AI coding agent into a C&C operator, if they can successfully persuade the built-in safety mechanisms in AI agents. It is the nature of instruction-following models to be agreeable and are therefore susceptible to human psychology tricks just to fulfill the prompts it is given. Even though Gemini was used in this case, any capable AI model could be fooled by various jailbreaking techniques. 

As AI continues to lower the cost and complexity of operating malicious infrastructure, it’s very likely that more AI-enabled malicious infrastructure will be seen in the future. 

Static defenses built around known indicators will not keep pace with an adversary who can regenerate any artifact on demand. The following defensive strategies address the underlying behaviors instead:

  • Prioritize behavioral detection over static indicators. AI can rotate filenames, registry keys, and API paths on demand. Focus on what stays constant: recurring outbound polling, PowerShell executing from non-standard locations, and WMI subscriptions created at runtime.
  •  
  • Harden credentials against AI-augmented password attacks. Enforce unique passwords, monitor employee credentials against breach databases, and require phishing-resistant multi-factor authentication.
  •  
  • Plan for rapid adversary recovery. A takedown is no longer the end of the operation. Pair any server removal with network-level blocking and ongoing monitoring for reconnection attempts.

The following behavioral indicators come from the source code of this specific botnet. Parameters in bold are easily changed by asking AI for a fresh version, but the underlying behavior pattern persists:

  • Fixed 5-second HTTP GET polling to /api/v1/update
  • Non-standard HTTP header carrying computer name and username
  • Browser-style User-Agent string sent from a PowerShell script
  • Svchost.exe running from a non-standard path (%APPDATA%MicrosoftWindowsRuntime)
  • WMI filter on Win32_PerfFormattedData_PerfOS_System
  • PowerShell downloading .ps1 to %TEMP%win_update_svc_*

TrendAI Vision One™ Threat Intelligence Hub 

TrendAI Vision One™ Threat Intelligence Hub provides the latest insights on emerging threats and threat actors, exclusive strategic reports from TrendAI™ Research, and TrendAI Vision One™ Threat Intelligence Feed in the TrendAI Vision One™ platform. 

Emerging Threats: Patriot Bait: How Solo Operator Automated Influence, Fraud, and Credential Theft with AI

TrendAI Vision One™ Intelligence Reports (IOC Sweeping)

IOC Sweeping link here.

TrendAI Vision One™ XDR Data Explorer App  

TrendAI Vision One™ customers can use the XDR Data Explorer App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.     

More hunting queries are available for TrendAI Vision One™ with Threat Intelligence Hub entitlement enabled.  

Indicators of Compromise 

Indicators of compromise can be found here.

About Author

What do you feel about this?

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.