2 min read

Gemini CLI helped run an 8-device botnet

Trend Micro says a Russian hacker used Google’s Gemini CLI to manage an eight-system botnet at a dental clinic between April 21 and May 19 2026.

Image: TechRadar

A Russian threat actor known as “bandcampro” used Google’s Gemini CLI to help operate a small eight-device botnet inside a dental clinic, according to Trend Micro. The researchers reviewed 200 session logs covering April 21 to May 19 2026 and found the attacker interacting with the tool in plain conversational language.

Gemini CLI is an open-source AI command-line tool that lets developers work with Google’s Gemini models from a terminal. Trend Micro says the attacker persuaded the system to cooperate by claiming to be an “authorized pen tester.” The AI reportedly followed most instructions, though the researchers said it refused at least one request.

The main target was the clinic’s OpenDental database. Trend Micro says the attacker first used the AI to move the botnet to new command-and-control infrastructure, supplying a skill file that included architecture details, operating procedures, an infection one-liner, persistence commands, and troubleshooting steps.

According to the researchers, the attacker then told the AI to “study the C2 migration,” after which it processed the instructions and assembled the required code and steps in about six minutes.

“The AI read the migration guide, then prepared a migration bundle, a small archive of server code, payloads, and the skill file. It then unpacked the bundle, launched the C&C server on a VPS, and brought up the Cloudflare tunnel,”

Trend Micro

Trend Micro also says bandcampro used the tool for day-to-day tasks including troubleshooting connectivity, guessing passwords, and generating likely variations of existing passwords for WordPress portals.

Recommended reading

New Windows 11 zero-day targets user registry hives

The findings, first highlighted via BleepingComputer, add a concrete example of how general-purpose developer tools can be repurposed for offensive operations when safeguards are bypassed with simple social engineering.

Best antivirus software banner
Best antivirus software banner
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via TechRadar

// Keep reading