Mycelium Framework: First Ever Witnessed AI-as-a-Service Botnet

July 07, 2026

By Assaf Morag, Cybersecurity Researcher 

At first glance, the single underground advertisement looks like another over-engineered botnet sales post: cross-platform execution, encrypted command-and-control, persistence, defense evasion, exploit modules, credential theft, and lateral movement. 

None of these capabilities are particularly new, and most have been observed in botnet campaigns over the past decade. The novelty is not how the framework compromises systems, but rather what it claims to do with them after compromise.

Rather than treating infected machines as disposable bots, the framework describes a capability-aware platform that classifies compromised systems according to their available resources (including CPU, GPU, local AI models, stolen AI API keys, browser sessions, and enterprise credentials) and dynamically assigns workloads such as AI inference, password cracking, reconnaissance, exploit development, and automated social engineering. 

If implemented as described, this Mycelium Framework represents a shift from traditional botnet monetization toward AI-as-a-Service, namely a malicious AI compute platform built entirely on compromised infrastructure.

Threat Intelligence

Track Emerging Malware Frameworks Before They Target Your Infrastructure

Flare monitors underground forums and dark web markets where frameworks like Mycelium are advertised and sold: surfacing new exploit tooling, stolen API keys, and credential theft operations so your team can detect and respond before compromised infrastructure becomes someone else’s compute cluster.

Underground advertisement and exploit marketplace monitoring
Stolen credential and API key detection across stealer logs

Key Findings About the AI-as-a-Service Botnet

  • Mycelium framework is the first underground offering we have observed that explicitly positions a botnet as an AI-as-a-Service platform rather than simply a tool for DDoS, spam, ransomware deployment, or credential theft.
  • Rather than describing a simple malware implant, the framework advertises a modular enterprise-grade architecture: production-grade C++ platform built around modular plugins supporting exploitation, persistence, browser forensics, distributed computing, reconnaissance, AI services, and autonomous operations.
  • Although the threat actor provides no source code or proof-of-execution, nearly every individual capability (including enterprise exploitation, persistence, browser credential theft, defense evasion, lateral movement, IRC-based command-and-control, and distributed task scheduling) has been documented previously in malware campaigns and most capabilities are technically credible. The novelty lies in their integration rather than their individual implementation.
  • Compromised systems become computational assets. Instead of treating infected hosts as disposable bots, the framework classifies systems according to available CPU, GPU, browser sessions, AI API access, local language models, and enterprise credentials, allowing workloads to be dynamically assigned based on each node’s capabilities.
  • AI is only one workload. While the advertisement emphasizes distributed AI inference, the same architecture also supports password cracking, Internet-scale reconnaissance, exploit validation, automated social engineering, vulnerability research, and distributed task execution, effectively transforming the botnet into a malicious compute cluster.
  • The framework mirrors legitimate distributed computing platforms. Features such as capability-aware scheduling, workload prioritization, resource management, failover, retries, and dynamic module loading closely resemble concepts found in enterprise cloud orchestration and high-performance computing systems, but repurposed for malicious operations.

What is a Malicious Botnet?

Botnets for malicious purposes are popular and widely offered in the underground. Some had leaked and can be found on GitHub (like Mirai) and some were specifically developed for a specific usage. 

The anatomy of a traditional botnet is relatively straightforward. Threat actors first obtain initial access by exploiting vulnerabilities, abusing exposed services, or leveraging misconfigurations to deploy a malicious client on the victim’s system. Once installed, the client establishes communication with a centralized command-and-control (C2) server while implementing persistence and defense evasion mechanisms to maintain long-term access and avoid detection. After a stable foothold has been established, the compromised infrastructure enters the monetization phase.

Historically botnets were monetized through sending spam, launching DDoS attacks, stealing credentials, deploying ransomware, proxying malicious traffic, or mining cryptocurrency.  Newer services offer computational  power and password cracking. 

This is the first time, however, we have seen a recorded offer to provide distributed AI computation via botnet. As AI increases demand for compute, API access, automation, and scalable inference, compromised machines can become more valuable as a distributed resource pool than as one-time access points.

The analyzed advertisement captures that shift as it describes a framework that combines traditional botnet functionality with a distributed computing layer and an AI task-routing system. In practical terms, the operator is not merely selling a malware implant. They are describing a platform that can exploit systems, persist on them, evaluate their capabilities, and then assign them work based on what they can provide: CPU, RAM, GPU access, local language models, browser sessions, stolen API keys, messaging tokens, or enterprise credentials.

Technical Architecture: A Modular Botnet Built Like a Platform

The framework is described as a cross-platform C++ system with native execution paths for Windows and Linux. The Windows side references WinAPI and COM interfaces, while the Linux side references POSIX and syscall-oriented design. 

Mycelium advertisement in a forum (Flare link to post, sign up for the free trial to access if you aren’t already a customer)

The architecture is plugin-based, with a core loader that initializes the environment and dynamically loads modules such as AI, browser extraction, exploits, grid computing, networking, rootkit behavior, scanning, and kernel-oriented Linux components. This separation is important operationally. It means a compromised host can be configured for different roles. 

Below is a list of core features and capabilities:

Encrypted Command-and-Control as an Operator Interface

The framework utilizes an IRC-based command-and-control (C2) infrastructure with AES-256 encrypted configuration files and communications. Centralized tasking enables operators to coordinate large numbers of compromised systems while protecting operational communications from interception and analysis.

The advertisement includes an operator-facing command interface organized by functional area: 

  • System control
  • Module loading
  • Shell execution
  • AI operations
  • AI social-engineering tasks
  • AI exploit execution
  • Worm control
  • Flooding
  • Scanning
  • Cracking
  • Browser scraping
  • Loot collection

The C2 interface gives the operator access to the same layers described above: node management, module orchestration, AI tasking, grid computation, exploitation, propagation, and data extraction.

IRC-based C2 is well documented among actors targeting organizational applications such as TeamTNT. Zscaler even wrote a blog about the usage of IRC by botnets, “IRC-based C2 is technically credible”, including: IRC botnets, including DorkBot, RageBot, Phorpiex, and IRCBot.HI. Thus this functionality seems reasonable.

Core Loader and Modular Architecture

At the heart of the framework is a modular core loader capable of dynamically loading specialized plugins for AI, browser forensics, exploitation, distributed computing, networking, reconnaissance, and rootkit functionality. This plugin-based architecture allows operators to continuously expand or replace functionality without redeploying the malware, making the framework significantly easier to maintain and evolve over time.

Production-Grade Engineering Features

The advertisement offers mature software engineering features such as error handling, thread safety, rollback behavior, idempotent persistence operations, dynamic module loading, signature verification, and RAII resource management. This doesn’t necessarily look like marketing-oriented language but rather a testimonial to the product’s features.

Resource Acquisition Is Initialization, or RAII, is a C++ programming pattern that binds the lifecycle of a resource to the lifecycle of an object. Memory, handles, sockets, files, locks, and cryptographic objects are acquired when the object is created and released when it goes out of scope. In legitimate software, RAII reduces memory leaks and improves exception safety, while in malware it may increase a much-needed operational reliability. 

Target Acquisition and Exploit Arsenal

The exploit layer is advertised as a library of more than 20 implemented remote code execution modules targeting enterprise infrastructure. 

The list includes: 

  • GitLab CVE-2021-22205
  • Microsoft Exchange ProxyShell
  • Spring4Shell
  • Log4Shell through JNDI/HTTP paths
  • F5 BIG-IP
  • Citrix NetScaler
  • Atlassian Confluence OGNL
  • VMware vCenter
  • Fortinet
  • Apache Struts
  • ActiveMQ
  • Solr
  • Jenkins
  • Tomcat Manager
  • Webmin
  • JBoss

Based on our experience building, deploying and analyzing attacks against enterprise honeypots, this exploit arsenal provides strong coverage of Internet-facing enterprise applications, administrative consoles, application servers, and critical infrastructure products commonly exposed in corporate environments. The diversity of targeted technologies also suggests that the framework is designed not only to compromise externally accessible systems, but also to facilitate lateral movement across internal enterprise networks after an initial foothold has been established. Collectively, these capabilities support the author’s claim that the botnet is intended to continuously acquire and retain a large pool of compromised systems capable of delivering distributed AI inference and computational services.

Persistence and Long-Term Node Retention

To maximize the lifetime of compromised infrastructure, the malware establishes persistence across both Windows and Linux systems. Windows mechanisms include Registry Run keys, Services, Scheduled Tasks, WMI Event Consumers, and COM hijacking, while Linux persistence relies on systemd services, cron jobs, XDG autostart entries, rc.local, and shell initialization files. Maintaining long-term access is particularly important because the framework treats compromised systems as reusable worker nodes that continuously generate value.

Although the threat actor did not provide source code or other proof to substantiate the advertised functionality, nearly all of the underlying techniques have been observed in previous malware campaigns and botnet frameworks. Their combination into a single platform is ambitious, but well within the capabilities of modern malware development, making the claims technically credible.

Stealth and Defense Evasion

The framework incorporates multiple techniques designed to minimize detection, including runtime patching of AMSI and ETW telemetry, sandbox detection through environmental scoring, API hashing, encrypted strings, polymorphic loading, TLS masquerading, protocol confusion, and randomized communication intervals. Together, these mechanisms help preserve the operational availability of compromised systems, ensuring that computational resources remain accessible for extended periods.

Browser Forensics and Credential Harvesting

A dedicated browser module is described in the post as extracting passwords, cookies, browsing history, and application-bound encrypted browser secrets from Chrome, Edge, and Firefox. Beyond traditional credential theft, these artifacts may provide authenticated access to cloud platforms, SaaS applications, messaging services, developer environments, and active AI sessions, significantly increasing the value of each compromised endpoint.

Lateral Movement and Propagation

Mycelium framework describes SSH and SMB propagation paths. On Linux and Unix-like systems, SSH keys, shell history, and configuration files can reveal lateral movement opportunities. On Windows networks, administrative shares, harvested credentials, and pass-the-hash techniques can expand access. It includes a context-aware brute-force engine that uses local hostname, domain, and username patterns to generate likely password candidates for SSH, WinRM, VNC, and RDP.

Our Main Finding: AI-as-a-Service Offerings

The most distinctive part of the framework is the Distributed AI Grid, referred to in the advertisement as the “Mind Collective.” This subsystem is presented as a way to transform infected machines into a distributed AI inference network. Bots with local models, stolen API keys, or hijacked AI sessions become service nodes. The controller routes tasks to those nodes based on priority, cost, and capability.

Tier-Based AI Model Usage

A tiered AI service model built on compromised infrastructure can include different tiers:

  1. Premium tier: A machine with stolen GPT-4 or Claude API access may be reserved for high-value executive targeting or high-quality content generation. 
  2. Local model tier: A machine running Ollama or a local Llama model may be used for bulk spam, low-cost phishing drafts, classification, summarization, or automated conversation generation. 
  3. Lower tier: A host with only CPU capacity may support preprocessing, reconnaissance, or routing tasks.

Mycelium Framework is described as a context-aware AI routing, meaning the C2 sends tasks based on what’s running on the node. It routes expensive or sensitive operations to higher-quality resources and routes bulk operations to cheaper resources. 

What is the AI Used For?

  1. Social-Engineering Engine: Mycelium framework can analyze victim email or chat history to mimic writing style and context. It also claims messaging propagation through Discord, Slack, and Telegram sessions, allowing AI-generated messages to be sent through trusted accounts. This creates a powerful combination: stolen identity, local context, and AI-generated personalization. Even if the final payload is added after generation, the persuasion layer becomes more scalable and more convincing.
  2. Content poisoning for LLM compromise: In the post this capability is referred to as a “Neural Propagation”. But the follow-up explanation describes a prompt that is hidden inside code or documentation and if processed by an AI assistant it may lead to indirect prompt injection. 
  3. Autonomous Exploit Engine: Mycelium Framework is also advertised as an autonomous exploit pipeline. It claims to monitor vulnerability sources such as Exploit-DB, GitHub, and CVE/NVD feeds, analyze patches, generate exploit code through multiple AI models, recover from model refusals by changing strategy, validate outputs through review and testing, and dynamically distribute compiled modules through NetGrid. Some of this may be marketing, but the workflow is notable because it describes the full lifecycle attackers want to automate (discovery, prioritization, development, validation, distribution, and execution) and it is reminiscent of  open-source pentesting AI-powered engineering.
  4. NetGrid – A Compute Cluster: The advertisement describes NetGrid as a distributed task management system supporting AI inference, password cracking, reconnaissance, job control, prioritization, retries, result aggregation, resource governance, failover, and redundancy. This mirrors the design of legitimate compute clusters, only applied to malicious capabilities. HashGrid distributes password cracking workloads across nodes, ReconGrid distributes scanning, banner grabbing, and service fingerprinting, and AiGrid integrates with the AI manager to offload inference tasks.

Additional Threat Intelligence

Additional Flare searches and other underground data sources revealed nothing else about a Mycelium Framework. Further search engine research revealed that the name Mycelium Framework is already associated with several legitimate projects unrelated to cybercrime. These include a Clojure-based web application framework that uses composable workflow “cells” with built-in support for large language models (LLMs), as well as a recently introduced organizational model that applies biological mycelium concepts to AI-enabled enterprise governance. Both projects emphasize decentralized, capability-aware architectures in which independent components collaborate to perform complex tasks. 

While there is no evidence that the underground framework is directly related to these legitimate initiatives, the threat actor’s choice of name, and its use of concepts such as distributed AI, autonomous “cells,” capability-aware task routing, and collective intelligence, closely mirrors terminology that has become increasingly popular within the AI engineering community. This suggests the naming was likely intentional, borrowing concepts and branding from legitimate AI ecosystems to market the framework as a sophisticated distributed computing platform rather than a conventional botnet.

Why This Matters for Threat Intelligence

Many parts of these 1,700-word posts in the underground look like a wild exaggeration by the post author, including beautifying  his C++ tool with marketing fluff, and adding unreasonable false capabilities. But a closer look into the botnet reveals that major parts of its architecture, while neatly drafted, probably with highly boosted AI text writer, are in fact true and widely used in the wild for the past 5-10 years.

It looks like the core capabilities of the botnet are already widely used by many previously documented tools. Vulnerability and misconfiguration scanning have always been at the core of botnet operations. In the same manner persistence, stealth, and defense evasion are essential botnet capabilities. Cross-platform support for both Windows and Linux is less common, though not unprecedented, and lateral movement via SSH and SMB has long been standard. Even the code quality itself is relatively basic by modern standards.

So what is actually new? The AI capabilities, but more importantly, their integration.

Poisoning AI documentation and source code has been observed before. Stealing AI compute resources and deploying local language models are also becoming increasingly common. Individually, none of these techniques are particularly novel. What is new is combining them into a single, cohesive offensive framework inspired by the architecture of legitimate AI systems.

That convergence is what makes this development noteworthy. Even if this is nothing more than a fake underground advertisement, every capability it describes is technically feasible today. If it does not reflect the current threat landscape yet, it likely will in the near future. 

Defender Implications and Hunting Opportunities

Beyond the well-established security practices of timely vulnerability patching, continuous misconfiguration monitoring, and behavioral detection across development and production environments, this framework highlights several additional lessons that defenders should consider. These observations extend beyond traditional malware defense and reflect the growing trend of threat actors treating compromised infrastructure as long-term computational assets rather than short-lived intrusion points.

  • Trace model API keys usage and installation of local models on servers, if not part of your pipeline blocks such technology from running on production servers.
  • Monitor for sustained or periodic encrypted outbound communications from servers and developer workstations that do not normally maintain external sessions.
  • Baseline CPU, memory, and GPU usage on systems that should not perform inference, cracking, or heavy background computation.
  • Correlate browser credential theft indicators with access to AI, developer, messaging, and SaaS platforms.
  • Investigate endpoints that access Slack, Discord, Telegram, GitHub, cloud consoles, or AI services in unusual sequences after suspicious process activity.
  • Treat dynamic module loading, unusual DLL or shared-object behavior, and plugin-like malware structures as higher-risk even if only one module is observed.
  • Use threat intelligence collection to identify underground advertisements that reframe botnets as AI, grid, inference, worker-node, or compute services.

The detection challenge is that many individual behaviors may appear legitimate in isolation. Developers use AI tools. Servers consume CPU/GPU. Administrators run remote management utilities. Browsers maintain sessions. The risk emerges from the combination: suspicious persistence, encrypted tasking, resource usage, browser/session theft, AI-service access, and workload-like execution patterns.

How Security Teams Should View Mycelium Framework

The significance of this underground advertisement is not that it introduces entirely new malware techniques. Nearly every component described has appeared in previous malware operations. 

What makes this framework noteworthy is its architectural vision: integrating these mature capabilities into a single platform that treats compromised infrastructure as a distributed computational resource.

Rather than simply compromising machines and waiting for opportunities to monetize access, the framework proposes continuously evaluating, scheduling, and utilizing compromised systems according to their available resources. CPU cycles, GPU acceleration, local language models, stolen AI API keys, browser sessions, enterprise credentials, and messaging accounts all become resources that can be dynamically allocated to AI inference, password cracking, reconnaissance, exploit development, and large-scale social engineering.

Whether the implementation fully matches the advertisement remains unknown. However, the underlying architecture is technically achievable and largely built upon techniques that have already been demonstrated in the wild. As AI adoption accelerates and computational resources become increasingly valuable, it is reasonable to expect threat actors to explore similar models that monetize compromised infrastructure as distributed compute platforms rather than simply as botnets.

Threat Intelligence

Track Emerging Malware Frameworks Before They Target Your Infrastructure

Flare monitors underground forums and dark web markets where frameworks like Mycelium are advertised and sold: surfacing new exploit tooling, stolen API keys, and credential theft operations so your team can detect and respond before compromised infrastructure becomes someone else’s compute cluster.

Underground advertisement and exploit marketplace monitoring
Stolen credential and API key detection across stealer logs
Share article

Related Content

View All
07.06.2026

15,000+ Leaked Healthcare Secrets Found: Code Blue in the Server Room

07.02.2026

$4 Social Security Numbers on the Dark Web Carry 30 Year Sentences: The Stolen Data Courts Punish the Most Severely

06.24.2026

The ABCs of CTI TCO