Trend Micro researchers have documented a case in which a threat actor tracked as “bandcampro” repurposed Google’s open-source Gemini CLI tool into a functional hacking agent, using it to build, operate, and migrate command-and-control infrastructure for a small botnet.

Across more than 200 sessions between May 19 and April 21, the attacker used the AI to control eight compromised systems inside a dental clinic and to gain access to the clinic’s OpenDental database. The agent was primed to believe it was an “authorized penetration tester,” a framing that stripped away safety disclaimers and led it to automatically save harvested credentials.

AI-driven infrastructure migration

The operation’s technical footprint was minimal: three plain-text files totaling roughly 5 KB contained a Gemini jailbreak prompt, a C2 playbook covering infection, persistence, and troubleshooting, and a migration guide. From a single instruction to “study the C2 migration,” Gemini CLI independently prepared a migration bundle, deployed a new command server on a VPS, configured a Cloudflare tunnel, and resolved reconnection failures after diagnosing conflicting traffic between old and new servers, completing the entire process in about six minutes.

Day-to-day, the actor managed the botnet purely through natural-language requests, asking which machines were online, listing files on infected hosts, and generating new infection links. The malware itself was described as unsophisticated, an in-memory Python HTTP server paired with PowerShell agents polling every five seconds, with persistence achieved through scheduled tasks, WMI events, or registry changes depending on available privileges. No obfuscation, packing, or evasion techniques were used.

Beyond the botnet

Trend Micro says the actor also leveraged the AI for password guessing against WordPress portals, generating plausible variants of known credentials, and for analyzing 1Password database dumps to identify exploitation paths. That latter effort reportedly failed only because the operation ran long enough that the AI lost track of the broader attack objective. In at least one instance, Gemini refused a request to build a self-propagating “agent-bomb,” though the actor simply moved on to other tasks.

BleepingComputer has contacted Google for comment on the abuse case but had not received a response at publication. The incident, disclosed by Trend Micro, underscores growing concern that agentic AI tools can be socially engineered into acting as capable, low-cost operators for real-world intrusions.