A new threat against Internet of Things (IoT) devices has surfaced: PumaBot, a Go-based Linux botnet, is actively targeting embedded systems by leveraging brute-force tactics against SSH credentials.
Discovered by Darktrace’s Threat Research team, PumaBot demonstrates an evolution in IoT malware, focusing on stealth, persistence, and high-value targets, particularly surveillance equipment and other sensitive devices running Linux.
Persistence Tactics Complicate Detection
Unlike typical botnets that indiscriminately scan the internet for victims, PumaBot leverages a more surgical approach by retrieving IP-target lists from its command-and-control (C2) server.
This targeted methodology reduces the chances of early detection and demonstrates a strategic move away from noisy network behaviors that commonly trigger security alerts.
Once a potential victim is identified, PumaBot cycles through SSH brute-force attempts, seeking weak and default credentials.
Upon successful compromise, it establishes persistence by disguising its binary as legitimate system services most notably by writing itself to /lib/redis and creating deceptive systemd service files, such as redis.service or a cleverly misnamed mysqI.service (with a capital ‘I’ to imitate MySQL).
The botnet’s operations are multifaceted. PumaBot collects extensive system information, including OS details, kernel versions, and hardware architecture, using commands like uname -a.
This data, along with the compromised device’s access credentials, is sent back to the C2 through custom HTTP headers in a JSON payload.
With this information, attackers can not only maintain a foothold but also target devices for specialized operations based on their profile.
One of PumaBot’s primary malicious payloads is cryptocurrency mining. Commands such as xmrig and networkxm are issued to co-opt the processing power of infected hosts for mining operations.
Interestingly, these are invoked without full path details, suggesting that supplementary payloads are either downloaded or unpacked post-infection, potentially broadening the scope and impact of the compromise.
The botnet also includes fingerprinting mechanisms to avoid detection by honeypots and research environments, specifically checking for strings like “Pumatronix” (a known manufacturer of surveillance and traffic equipment), which may indicate a preference for or aversion to certain device types, further refining its targeting strategy.
A Growing Threat to IoT Ecosystem Security
PumaBot does not propagate in a fully automated worm-like manner, but rather expands its footprint semi-automatically, driven by C2-controlled target selection and brute-force attacks.
This operational model, coupled with its advanced evasion techniques, makes PumaBot a particularly challenging adversary for traditional IoT security solutions.
According to the Report, Darktrace’s investigation also uncovered related components supporting PumaBot’s campaign, such as the ddaemon backdoor, which fetches and executes mining binaries, and the installx.sh shell script responsible for fetching further payloads and eliminating forensic traces by clearing command histories.
These additional elements point to a coordinated and persistent attack infrastructure intent on maintaining long-term control over compromised devices.
As IoT ecosystems continue to expand, malware like PumaBot highlights the urgent need for robust credential management, routine firmware updates, and vigilant network monitoring to protect against increasingly adaptive and sophisticated threats.
Indicators of Compromise (IOCs)
| SHA256 Hash |
|---|
| a5125945d7489d61155723259990c168db01dfedcd76a2e1ba08caa3c4532ca3 |
| 426276a76f20b823e896e3c08f1c42f3d15a91a55c3613c7b3bdfbef0bbed9a9 |
| 0957884a5864deb4389da3b68d3d2a139b565241da3bb7b9c4a51c9f83b0f838 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
 devices has surfaced: PumaBot, a Go-based Linux botnet, is actively targeting embedded systems.){kind=link}