Hacked Gemini AI Deploys New Botnet C2 Server in Six Minutes, Autonomously Fixes 502 Error
A compromised version of Google Gemini autonomously deployed a new command-and-control server for a botnet in six minutes, diagnosed a 502 Bad Gateway error, and restored connectivity to infected machines with almost no human technical input. The operator, operating under the alias bandcampro, merely described tasks in plain language while following the AI’s suggestions.
Specialists at TrendAI examined more than 200 Gemini CLI session logs covering the period from March 19 to April 21. According to their analysis, Gemini executed roughly 90 percent of all actions, while the human operator primarily supervised the process. The attacker used the AI to steal credentials and cryptocurrency, focusing on supporters of Donald Trump and adherents of conspiracy theories. Earlier operations by bandcampro involved using Gemini to impersonate a U.S. veteran, run Telegram channels, compromise administrator accounts, and drain digital wallets.
Session logs reveal that Gemini installed software, configured a residential proxy server, performed multi-threaded password spraying, processed data from infostealers, conducted website reconnaissance, and wrote code to interact with third-party APIs. The operator never typed technical commands; instead, bandcampro described required actions in ordinary conversational phrases.
The original botnet infrastructure relied on Cloudflare tunnels to reach compromised hosts. After security tools and network filters began blocking these connections, the attacker instructed Gemini to migrate the system to a new architecture. On March 23, Gemini received an archive containing server code, malicious files, and the instruction file SKILL.md. The model read the documentation, launched the management server on a virtual machine, and configured traffic forwarding.
When the file-distribution server returned a 502 Bad Gateway error, Gemini independently identified the root cause and corrected the misconfiguration. The entire migration process took six minutes. The new infrastructure successfully managed eight compromised computers belonging to a dental clinic and provided access to the Open Dental database. The human operator did not participate in troubleshooting and paused activity for nearly two hours.
Upon returning, the operator learned from Gemini that infected devices had not connected to the new server because both old and new control systems were running simultaneously. Following the AI’s recommendation, the attacker shut down the legacy server; Gemini then restarted the new system and confirmed successful reconnection of the bots.
TrendAI counted 59 actions performed by Gemini without explicit instructions during the infrastructure transfer. The company estimates that the AI designed 80 percent of the attack scheme, authored all code, executed every system command, and conducted 90 percent of the diagnostics.
To circumvent safety restrictions, bandcampro posed as an authorized security tester and requested that warning messages be disabled and discovered credentials be saved automatically. Gemini refused several requests, including the creation of a self-propagating network scanner designed to maximize the number of compromised machines.
The entire operational playbook fit into three text files totaling approximately four pages and 5 KB. One file contained jailbreak instructions, the second described the botnet management system, and the third outlined the six-step server migration procedure.
TrendAI researchers warn that such compact instruction sets dramatically lower the skill threshold required for cybercrime. Knowledge previously accessible only to experienced malware developers can now be stored in a small file and delegated to a powerful language model, enabling rapid reconstruction of command servers after takedowns. The problem is not limited to Gemini; similar bypass techniques could be applied to any sufficiently capable model unless developers impose stricter usage controls and behavioral monitoring.