Summary
- More than 200 session logs reportedly show Gemini CLI deploying a new command server and restoring botnet operations within minutes.
- The operator controlled eight computers at a dental clinic and used AI to inspect files, troubleshoot infrastructure, and reach an OpenDental database.
- Reusable instruction files allowed technical procedures to be stored and replayed during infrastructure changes.
Trend Micro researchers say a Russian-speaking threat actor used Google’s Gemini CLI as the principal interface for migrating, debugging, and operating a live command-and-control system connected to eight compromised computers.
The company analysed more than 200 Gemini CLI session logs associated with an actor it tracks as “bandcampro”. Activity recorded between 19 March and 21 April shows the operator providing instructions in Russian while the AI agent wrote code, deployed infrastructure, configured Cloudflare tunnels, diagnosed faults, and issued commands through the botnet.
The affected computers were located at a dental clinic and included access to an OpenDental database. According to the logs, the operator could ask which machines were online, request file listings from particular systems, and generate an infection link without interacting directly with a command console.
During one sequence, the actor asked the AI to study a migration guide describing the existing command-and-control environment. The agent assembled the required files, launched a new server on a virtual private server, configured a Cloudflare tunnel, and resolved deployment errors.
Trend Micro’s timeline indicates that the replacement server was operating six minutes after the initial instruction. When compromised systems failed to reconnect, the agent later diagnosed a split-routing problem between the old and new infrastructure and instructed the operator to close the former server.
The researchers estimate that the human operator performed 11 per cent of the work documented in the sessions. They also recorded 59 occasions on which the AI proposed operational improvements without a direct request.
Three plain-text files totalling approximately 5KB represented the command environment. They contained configuration instructions, a command-and-control playbook, migration procedures, persistence guidance, and prompts intended to frame the activity as authorised security testing.
Model safeguards operated in some sessions. Gemini reportedly refused a request to create a self-spreading mechanism, and the actor abandoned that particular task. Other activities involved in maintaining the compromised infrastructure were completed.
The Trend Micro investigation also describes use of the agent for password mutation, WordPress reconnaissance, processing credential material, and planning cryptocurrency fraud.
The findings are based on session logs obtained and interpreted by Trend Micro. Google has not publicly confirmed every conclusion, the operator’s identity remains unknown, and the botnet itself comprised eight known devices. The evidence does not establish the prevalence of similar AI-operated infrastructure across the wider threat landscape.
It does document an operating model in which specialist procedures can be stored inside compact instruction files and reused by an agent. Rebuilding a server, changing infrastructure, or diagnosing routine failures no longer requires the operator to retain every technical step or perform each command manually.
That repeatability can reduce the lasting effect of infrastructure disruption. Removing a command server still interrupts an operation and can produce evidence, but a replacement may be restored rapidly from the same deployment material. Filenames, network locations, and other indicators can also change whenever the instructions are rerun.
Detection therefore remains anchored in observable behaviour: repeated outbound polling, unusual PowerShell activity, persistence changes, new tunnels, and unexpected access to clinical databases. Those events remain visible regardless of whether the supporting code was written manually or produced during an AI session.
AI-service providers also need to assess activity across complete sessions. A single prompt may appear ambiguous, while a sequence involving file access, infrastructure deployment, command execution, and target interaction can reveal a coherent operational pattern.
The operator supplied the objectives, existing access, credentials, and configuration context. Gemini CLI performed much of the routine engineering and troubleshooting, allowing one person to maintain an intrusion through a conversational interface rather than a conventional administration console.



