Critical

Russian cybercriminal used jailbroken Gemini CLI to rebuild botnet infrastructure in six minutes

Help Net Security
Actively Exploited

Overview

A Russian cybercriminal known as 'bandcampro' has exploited a jailbroken version of Google's Gemini CLI, an open-source AI tool, to quickly set up and manage a botnet. Between March 19 and April 21, 2026, this individual conducted over 200 sessions to control eight computers within a dental clinic, gaining unauthorized access to the clinic's OpenDental database. This incident raises significant concerns for healthcare providers, as it highlights how easily cybercriminals can manipulate advanced tools to target sensitive information. The breach not only compromises patient data but also disrupts the operations of healthcare facilities. The effectiveness of such attacks underscores the need for stronger cybersecurity measures in the healthcare sector.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: OpenDental database, computers in a dental clinic
  • Action Required: Healthcare facilities should implement stronger access controls, regularly update their software, and monitor network activity for unusual behavior.
  • Timeline: Ongoing since March 19, 2026

Original Article Summary

A Russian-speaking threat actor known as “bandcampro” used a jailbroken Gemini CLI, Google’s open-source terminal-based AI agent, to deploy and operate a small command-and-control (C2) botnet, according to TrendAI. Operational overview (Source: TrendAI) In more than 200 sessions between March 19 and April 21, 2026, the threat actor worked with Gemini to deploy and operate infrastructure that controlled eight computers inside a dental clinic and gain access to the clinic’s OpenDental database. Posing as an … More → The post Russian cybercriminal used jailbroken Gemini CLI to rebuild botnet infrastructure in six minutes appeared first on Help Net Security.

Impact

OpenDental database, computers in a dental clinic

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since March 19, 2026

Remediation

Healthcare facilities should implement stronger access controls, regularly update their software, and monitor network activity for unusual behavior.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Google, Data Breach, Botnet.

Related Coverage

Google Brings AirDrop Compatibility to Android’s Quick Share Using Rust-Hardened Security

The Hacker News

Google has updated its Quick Share service to enable compatibility with Apple's AirDrop, facilitating easier file sharing between Android and iPhone devices. This feature is currently available for the Pixel 10 lineup and is expected to expand to other devices in the future.

Nov 21, 2025

CISA Adds One Known Exploited Vulnerability to Catalog

All CISA Advisories

CISA has added CVE-2025-13223, a Google Chromium V8 Type Confusion Vulnerability, to its Known Exploited Vulnerabilities Catalog due to evidence of active exploitation. This vulnerability poses significant risks to federal enterprises, prompting CISA to urge timely remediation by all organizations to mitigate potential cyberattacks.

Nov 19, 2025

⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More

The Hacker News

This week, significant cybersecurity threats emerged as hackers exploited new 0-day vulnerabilities in Fortinet and Chrome, infiltrating supply chains and SaaS tools. The rapid response from major companies like Microsoft, Salesforce, and Google highlights the severity of these attacks and the ongoing challenges in securing trusted applications and software updates.

Nov 24, 2025

​​Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications​

All CISA Advisories

CISA has identified that various cyber threat actors are using commercial spyware to target users of mobile messaging applications, employing tactics such as phishing, zero-click exploits, and impersonation. The focus is primarily on high-value individuals including government and military officials, indicating a serious threat to sensitive communications.

Nov 24, 2025

HashJack Attack Uses URL ‘#’ to Control AI Browser Behavior

Hackread – Cybersecurity News, Data Breaches, Tech, AI, Crypto and More

Cato Networks has identified a new vulnerability known as HashJack, which exploits the '#' symbol in URLs to execute malicious commands in AI browsers. While Microsoft and Perplexity have addressed this flaw, Google's Gemini remains vulnerable, highlighting a significant risk for users of that platform.

Nov 29, 2025

Google fixes Android vulnerabilities “under targeted exploitation” (CVE-2025-48633, CVE-2025-48572)

Help Net Security

Google has addressed 51 vulnerabilities in Android, including two high-severity flaws (CVE-2025-48633 and CVE-2025-48572) that are potentially under targeted exploitation. Both vulnerabilities impact the Android Framework, which is essential for app development, and could allow malicious applications to access sensitive information.

Dec 2, 2025