Trend Micro security researchers published the first documented case of a threat actor using Google’s open-source Gemini CLI — a command-line interface to Google’s Gemini AI model — as an interactive hacking assistant throughout a real-world attack campaign. The actor, a Russian-speaking individual operating under the alias “bandcampro,” conducted attack operations across more than 200 sessions using the tool to deploy a botnet, gain access to a dental practice patient database, and troubleshoot attack operations in real time as problems arose.
Gemini CLI as a Real-Time Attack Advisor Across 200-Plus Sessions
Trend Micro observed “bandcampro” conducting attack operations with Gemini CLI across more than 200 sessions between April 21 and May 19, 2026. In at least 59 documented exchanges, Gemini CLI responded to the attacker’s prompts, troubleshot problems on the fly, and proposed operational improvements — functioning throughout as a real-time technical advisor rather than a passive information source. The model’s responses guided decisions about command execution, infrastructure changes, and attack sequencing across multiple distinct operations within the campaign.
Eight-System Dental Clinic Botnet: C2 Migration Completed in Six Minutes
The most operationally significant demonstration of AI-assisted efficiency within the campaign occurred during a botnet infrastructure migration. “Bandcampro” controlled a botnet of eight compromised systems located at a dental clinic and used Gemini CLI to issue commands to the infected endpoints, manage the compromised machines, and migrate the botnet’s command-and-control servers to new infrastructure. With Gemini CLI handling command planning and troubleshooting errors as they appeared, the attacker completed the full infrastructure migration in approximately six minutes. The full operation ran from a configuration footprint of approximately 5 KB of plain-text configuration files — a small footprint that Trend Micro characterized as an early-stage demonstration of the technique rather than the maximum achievable operational scale.
OpenDental Database Breach and WordPress Credential Attacks
Beyond managing the botnet, “bandcampro” used Gemini CLI to gain unauthorized access to an OpenDental database — dental practice management software that stores patient health records and billing information. The AI tool assisted with planning the database access attempt and adapting to the specific configuration the attacker encountered. Separately, the attacker conducted password guessing campaigns against WordPress portals, with Gemini CLI assisting by analyzing password dumps, identifying exploitation opportunities in credential data from compromised systems, and planning attack adjustments based on results returned from each guessing attempt.
Gemini CLI’s Accessibility and the Healthcare Data Dimension
Gemini CLI provides AI access through a command-line interface without the content filtering built into consumer-facing AI products. For threat actors who may not have access to jailbroken models or other alternatives, this accessibility makes Gemini CLI a ready-made AI hacking assistant available at no cost. The tool’s conversational interface allows an attacker to describe a specific problem — a C2 connectivity failure, an unexpected configuration state, an authentication error — and receive detailed, context-specific troubleshooting guidance without needing the technical expertise to diagnose the issue independently. That reduction in the expertise required to execute and sustain complex attack operations is the operational change the campaign illustrates.
What the bandcampro Campaign Reveals About AI-Assisted Attack Efficiency
The campaign Trend Micro documented remained relatively limited in scale: a botnet of eight systems and access to one dental practice’s patient database. Trend Micro’s characterization of the operation as an early-stage demonstration reflects the modest victim count and configuration footprint involved. The significance lies in the method rather than the scale: attack operations that previously required specific technical expertise to troubleshoot — diagnosing why a C2 connection failed, adapting commands to work around an unexpected configuration, planning credential exploitation across multiple compromised systems — were carried out with AI-assisted guidance throughout. The attacker was able to complete a botnet infrastructure migration in six minutes through a conversational exchange with a language model rather than through manual diagnosis and command construction. The inclusion of patient health data — an OpenDental database containing health records and billing information — in the campaign’s impact profile adds healthcare privacy consequences to what would otherwise be characterized as a financially motivated botnet operation.