A newly discovered botnet named PumaBot is actively targeting Linux-based IoT devices, exploiting weak SSH credentials to gain unauthorized access, persist on the system, and potentially deploy cryptominers like XMRig.

Written in Go and SSH-Focused

PumaBot is developed in the Go programming language and deviates from traditional botnet behavior by avoiding internet-wide scans. Instead, it fetches a curated list of vulnerable IP addresses from its command-and-control (C2) server (ssh.ddos-cc[.]org). The malware then performs brute-force attacks on these systems to gain access.

Unlike most botnets that indiscriminately target devices, PumaBot includes checks to avoid honeypots and evaluates the suitability of a host. Interestingly, it searches for the string “Pumatronix,” a known surveillance and traffic camera manufacturer. This suggests it may either specifically target or intentionally avoid these systems.

Infection Chain and Components

Once PumaBot gains SSH access, it performs the following actions:

• Collects system data and sends it to the C2 server

• Establishes persistence by mimicking legitimate system services

• Receives and executes commands remotely

• Deploys additional malware components

Darktrace uncovered related binaries deployed during infection:

Malware Components

• ddaemon: A backdoor that downloads and executes a script called installx.sh

• networkxm: A secondary SSH brute-force tool, similar to the botnet’s initial stage

• installx.sh: Downloads and executes another script jc.sh while erasing bash history

• jc.sh: Replaces the system’s pam_unix.so with a malicious version, installs a binary called 1

• pam_unix.so: Acts as a rootkit, logging credentials of successful logins to /usr/bin/con.txt

• 1: Monitors and exfiltrates stolen credentials

Disguised as Legitimate Services

To hide its presence, PumaBot copies itself into /lib/redis and sets up a systemd service named redis.service or a typo-disguised mysqI.service (with a capital “i”). This makes the malware appear like a valid system process and ensures it survives reboots.

Final Payload: Cryptocurrency Mining

Two commands found in PumaBot’s operations—xmrig and networkxm—indicate the botnet’s ultimate goal: mining cryptocurrency by hijacking computing power from compromised devices. Although the C2 server was offline during analysis, evidence suggests that cryptominers or other payloads are delivered post-compromise.

What This Means for IoT Security

PumaBot highlights the growing sophistication of Linux-based malware and the increasing use of IoT devices in botnet operations. Its SSH-focused brute-force mechanism, selective targeting, and stealth persistence tactics make it a potent threat.

How to Protect Your Devices:

• Use strong, unique SSH passwords or deploy key-based authentication

• Disable SSH if not needed, or restrict it with firewall rules

• Monitor for unusual systemd services like redis.service or mysqI.service

• Check for suspicious files in /usr/bin/, /lib/redis/, and logs pointing to con.txt

Stay Ahead of Linux Threats

As Linux continues to power billions of connected devices, botnets like PumaBot are expected to grow. Admins and developers must stay proactive with patching, monitoring, and securing IoT endpoints.

Click here for more articles…………