Jailbroken Gemini spun up new C2 server for Russian fraudster in just 6 minutes

speckx1 pts0 comments

'The bots are alive!' Jailbroken Gemini spun up new C2 server for Russian fraudster in just 6 minutes

Jump to main content

Search

REG AD

RESEARCH

'The bots are alive!' Jailbroken Gemini spun up new C2 server for Russian fraudster in just 6 minutes

Human did 10% of the job,<br>AI did 90%

Jessica Lyons

Jessica<br>Lyons

Cybersecurity Editor

Published<br>tue 14 Jul 2026 // 13:15 UTC

EXCLUSIVE A jailbroken Google Gemini did 90 percent of the work in a credential- and cryptocurrency-stealing spree, including spinning up a new command-and-control (C2) server in just six minutes, according to a TrendAI report shared exclusively with The Register.<br>The human behind the heist – a solo Russian-speaking miscreant known as “bandcampro” – acted as the manager of the cyber-fraud operation, which targeted hardcore Trump supporters and conspiracy theorists.<br>Meanwhile, the AI agent did most of the hacking: migrating a botnet from an old architecture to a new one, writing and deploying a new C2 server, and even proactively carrying out 59 unprompted behaviors during the C2 migration.

REG AD

“Persistence is evolving because of AI,” Tom Kellermann, TrendAI’s VP of AI security and threat research, told The Register.

REG AD

“That's what you see in this report, with the capacity to dynamically shift C2 in less than six minutes, and make it portable and disposable, which is crazy-cool and terrifying," he added. "But also, you see the rebirth of steganography through invisible prompt injection.” In other words, it's hiding secret data – in this case, the C2 server malicious payloads – in plain sight.<br>Scanning for known malicious artifacts doesn't provide sufficient protection against AI-enabled C2, according to Kellermann.<br>“If AI does not have multi-layered guardrails, and if you can't detect behavioral anomalies when the guardrails are being tampered with, then you might as well see the AI as a command-and-control in today's world,” he said. “AI has to be viewed from a defensive perspective as a C2 unless you can govern it, actually apply various mechanisms of least privilege, and all the rules that OWASP and NIST espouse for the AI that you've deployed in your environment.”<br>The new report follows up on TrendAI’s earlier research about bandcampro, a “low-skilled” scumbag who partnered with Gemini to impersonate an American veteran, run a Telegram channel, hack admin credentials, and steal cryptocurrency.<br>Since then, the threat hunters obtained and analyzed more than 200 Gemini CLI session logs from said scumbag, and these logs provided additional insights into the daily AI-assisted operations between March 19 and April 21.

Bro, I solved the riddle! I was almost racking my brain, trying to figure out why our local console is empty

Google Gemini

The LLM carried out the bulk of the daily activities, setting up a residential proxy, running multithreaded password scanning, installing software, writing code to call third-party APIs, processing infostealer dumps, and performing website reconnaissance.<br>The logs show that the attacker never typed commands into the C2 console, but instead spoke them to the AI in conversational Russian, which the TrendAI report translates to English.<br>The attacker’s old C2 infrastructure used a Cloudflare tunnel to connect to victims’ computers – until firewalls and anti-virus software started blocking these tunnels. So bandcampro asked Gemini to work on a new C2 architecture and have the scripts prepared and packed in advance on the server.

REG AD

Hey, Gemini: 'study the C2 migration'<br>“It was very creative on his part, not only to allow the manifest that the AI can conduct 59 unprompted behaviors, but they also left scripts prepared and packed in advance on C2 servers, where the victims unknowingly pulled down and ran PowerShell commands because they had AI enabled,” Kellermann said. “It's almost like he poisoned the environment in a delayed fashion.”<br>On March 23, the attacker launched Gemini CLI, and instructed the AI to "study the C2 migration” – a SKILL.md file migration guide inside a pre-written archive that also contained server code and payloads. This, we’re told, was most likely written by AI.<br>The AI read the guide, launched the C2 server on a VPS, and launched the Cloudflare tunnel to route traffic. The payload distribution server returned a “502 Bad Gateway” error, and the AI diagnosed and fixed the issue, ultimately deploying the C2 infrastructure to control eight computers in a dental clinic and access the Open Dental database.<br>The human didn’t debug anything, and the entire C2 migration took just six minutes. The attacker took a break.

MORE CONTEXT

A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto wallets

Bug in top AI coding agents shows that Unix-era security headaches never really die

Smooth AI criminal drives 'first' end-to-end agentic ransomware attack

It's looking like a hot, messy summer for security teams as AI...

gemini server russian minutes jailbroken migration

Related Articles