A newly discovered botnet named **PumaBot** is actively targeting Linux-based IoT devices by brute-forcing SSH credentials to deploy malicious payloads. Written in Go, this malware exhibits advanced evasion techniques, including fingerprinting devices to avoid detection and injecting credential-stealing modules. The botnet’s activities align with broader trends in IoT exploitation, where attackers increasingly focus on embedded systems with weak authentication mechanisms.1
Key Findings
– **Evasion**: PumaBot excludes devices containing the string “Pumatronix” in their hostnames or configurations, likely to avoid honeypots or research environments.1
– **Payload Delivery**: The malware injects a malicious PAM module to log credentials:
“`bash
echo “$(date) – $USER:$PASS” >> /usr/bin/con.txt
“`
– **Detection**: A YARA rule has been published to identify PumaBot binaries:
“`yaml
rule Linux_PumaBot {
strings: $xapikey = “X-API-KEY: jieruidashabi”
condition: uint32(0) == 0x464c457f and $xapikey
}
“`
Technical Analysis
PumaBot leverages Go’s cross-platform capabilities to target embedded systems, particularly surveillance devices and network appliances. It deploys two primary components:
1. **`ddaemon`**: A backdoor that establishes persistent C2 connections.
2. **`jc.sh`**: A rootkit installer that modifies system binaries to hide malicious processes.1
The botnet’s SSH brute-forcing aligns with tactics observed in other campaigns, such as the **InfectedSlurs** botnet, which exploited QNAP NVR devices via CVE-2023-XXXX (unpatched at the time of attack).2
Mitigation and Detection
To defend against PumaBot:
– **Network Controls**: Restrict SSH access to trusted IPs and enforce key-based authentication.
– **Endpoint Monitoring**: Deploy YARA rules or ELK Stack-based traffic analysis to detect anomalous SSH attempts.3
– **Patch Management**: Apply updates for IoT devices, especially those listed in CISA’s Known Exploited Vulnerabilities catalog.4
Relevance to Security Teams
– **Red Teams**: Can simulate PumaBot’s tactics to test SSH hardening and detection capabilities.
– **Blue Teams**: Should prioritize log analysis for failed SSH attempts and unexpected PAM module modifications.
– **Threat Researchers**: The Go-based infrastructure suggests a shift toward cross-platform malware, warranting closer scrutiny of similar campaigns.
Conclusion
PumaBot underscores the persistent threat of credential-based attacks on IoT ecosystems. Its use of Go and evasion techniques highlights the need for layered defenses, including network segmentation and behavioral monitoring. Future variants may incorporate AI-driven attack automation, as seen in recent ransomware campaigns.5
References
- “PumaBot: A Novel Botnet Targeting IoT Surveillance Devices,” Darktrace, 2025.
- CISA Known Exploited Vulnerabilities Catalog, 2025.
- Rajesh et al., “ELK for Network Forensics,” ACM, 2021.
- Rattanalerdnusorn et al., “IoTDePT Framework,” ACM, 2020.
- Zewdie & Girma, “AI/ML for IoT Security,” IIS, 2020.
