Discovered by Darktrace’s Threat Research team, PumaBot demonstrates an evolution in IoT malware, focusing on stealth, persistence, and high-value targets, particularly surveillance equipment and other sensitive devices running Linux.
Unlike typical botnets that indiscriminately scan the internet for victims, PumaBot leverages a more surgical approach by retrieving IP-target lists from its command-and-control (C2) server.
This targeted methodology reduces the chances of early detection and demonstrates a strategic move away from noisy network behaviors that commonly trigger security alerts.
Once a potential victim is identified, PumaBot cycles through SSH brute-force attempts, seeking weak and default credentials.
Upon successful compromise, it establishes persistence by disguising its binary as legitimate system services most notably by writing itself to /lib/redis and creating deceptive systemd service files, such as redis.service or a cleverly misnamed mysqI.service (with a capital ‘I’ to imitate MySQL).
The botnet’s operations are multifaceted. PumaBot collects extensive system information, including OS details, kernel versions, and hardware architecture, using commands like uname -a.
This data, along with the compromised device’s access credentials, is sent back to the C2 through custom HTTP headers in a JSON payload.
With this information, attackers can not only maintain a foothold but also target devices for specialized operations based on their profile.
One of PumaBot’s primary malicious payloads is cryptocurrency mining. Commands such as xmrig and networkxm are issued to co-opt the processing power of infected hosts for mining operations.
Interestingly, these are invoked without full path details, suggesting that supplementary payloads are either downloaded or unpacked post-infection, potentially broadening the scope and impact of the compromise.
The botnet also includes fingerprinting mechanisms to avoid detection by honeypots and research environments, specifically checking for strings like “Pumatronix” (a known manufacturer of surveillance and traffic equipment), which may indicate a preference for or aversion to certain device types, further refining its targeting strategy.
PumaBot does not propagate in a fully automated worm-like manner, but rather expands its footprint semi-automatically, driven by C2-controlled target selection and brute-force attacks.
This operational model, coupled with its advanced evasion techniques, makes PumaBot a particularly challenging adversary for traditional IoT security solutions.
According to the Report, Darktrace’s investigation also uncovered related components supporting PumaBot’s campaign, such as the ddaemon backdoor, which fetches and executes mining binaries, and the installx.sh shell script responsible for fetching further payloads and eliminating forensic traces by clearing command histories.
These additional elements point to a coordinated and persistent attack infrastructure intent on maintaining long-term control over compromised devices.
As IoT ecosystems continue to expand, malware like PumaBot highlights the urgent need for robust credential management, routine firmware updates, and vigilant network monitoring to protect against increasingly adaptive and sophisticated threats.
| SHA256 Hash |
|---|
| a5125945d7489d61155723259990c168db01dfedcd76a2e1ba08caa3c4532ca3 |
| 426276a76f20b823e896e3c08f1c42f3d15a91a55c3613c7b3bdfbef0bbed9a9 |
| 0957884a5864deb4389da3b68d3d2a139b565241da3bb7b9c4a51c9f83b0f838 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post New Linux PumaBot Emerges Brute-Forcing SSH Credentials on IoT Devices appeared first on Cyber Security News.
ABILENE, Texas (KTAB/KRBC) - Online pet scams are becoming more common across the Big Country.…
ABILENE, Texas (KTAB/KRBC) - One person was injured in a motorcycle accident in south Abilene…
The Pokémon Company has issued an official objection after the White House used Pokopia for…
March 5, 2026 Bill Even was days into his newest job when his previous one…
March 5, 2026 After nearly four hours of testimony Wednesday, the Sioux Falls Planning Commission…
Tally.xyz – Namecheap customer – (United States) Blockchain-focused teams use .xyz domains to build platforms,…
This website uses cookies.