Insights, news, education and announcements from PolySwarm

PumaBot Linux Botnet Targets IoT Surveillance Devices

Written by The Hivemind | Jun 2, 2025 5:05:28 PM

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: ddaemon

Executive Summary

PumaBot, a Go-based Linux botnet, targets embedded IoT devices by brute-forcing SSH credentials, establishing persistence, and executing cryptocurrency mining. Its sophisticated evasion tactics and focus on surveillance devices highlight the growing threat to IoT ecosystems.

Key Takeaways

  • Written in Go, PumaBot targets Linux-based IoT devices, retrieving target lists from a C2 server to brute-force SSH credentials.  
  • Establishes persistence by mimicking legitimate binaries like Redis and abusing systemd services.  
  • Executes cryptocurrency mining via commands like “xmrig” and “networkxm,” leveraging compromised devices for illicit profit.  
  • Incorporates fingerprinting to evade honeypots, checking for specific strings like “Pumatronix” to target or exclude surveillance systems.  

What is PumaBot?

Darktrace’s Threat Research team recently uncovered PumaBot, a sophisticated Go-based Linux botnet designed to compromise embedded Internet of Things (IoT) devices, particularly those running Linux. Unlike traditional botnets that rely on broad internet scans, PumaBot employs a targeted approach, retrieving a list of IP addresses from a command-and-control (C2) server to execute SSH brute-force attacks. This method enhances its stealth, reducing exposure to detection mechanisms that monitor indiscriminate scanning. Once access is gained, the botnet deploys itself, establishes persistence, and executes remote commands, primarily for cryptocurrency mining, posing a significant threat to unsecured IoT ecosystems.  

PumaBot’s infection chain begins with retrieving a target list from an external C2 server. The malware then attempts to brute-force SSH credentials across these IPs, focusing on devices with open SSH ports. Upon successful login, it deploys its binary to the compromised system, often writing itself to /lib/redis to masquerade as a legitimate Redis service. This deception is furthered by creating systemd service files, such as redis.service or mysqI.service (notably with a capitalized ‘I’ to mimic MySQL), ensuring persistence across system reboots. The use of native Linux tools and system locations demonstrates an intent to blend into legitimate processes, complicating detection by traditional security solutions.  

The botnet’s functionality extends beyond initial compromise. PumaBot collects system information, including OS name, kernel version, and architecture, via commands like `uname -a`. This data, along with the victim’s IP, port, username, and password, is exfiltrated to the C2 server in a JSON payload, using a custom HTTP header. The malware then awaits commands, with observed instructions including “xmrig” and “networkxm,” indicating cryptocurrency mining as a primary objective. These commands lack full path specifications, suggesting additional payloads are downloaded or unpacked on the infected host, further expanding the attack’s scope.  

PumaBot employs advanced evasion tactics to avoid detection. It includes fingerprinting logic to bypass honeypots and restricted environments, notably checking for the string “Pumatronix,” a manufacturer of surveillance and traffic camera systems. This suggests either a deliberate focus on or exclusion of specific IoT devices, potentially tailoring its campaign to surveillance systems. By avoiding automatic propagation like a worm, PumaBot operates as a semi-automated botnet, relying on C2-driven target selection and brute-forcing to expand its reach.  

Related binaries uncovered during Darktrace’s analysis include *ddaemon*, a Go-based backdoor that retrieves and executes *networkxm*, and *installx.sh*, a shell script that downloads additional payloads from domains like “1.lusyn[.]xyz” and clears bash history to cover its tracks. These components indicate a broader campaign leveraging multiple tools to maximize compromise and persistence.  PolySwarm analysts consider PumaBot to be an emerging threat. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

a5125945d7489d61155723259990c168db01dfedcd76a2e1ba08caa3c4532ca3

426276a76f20b823e896e3c08f1c42f3d15a91a55c3613c7b3bdfbef0bbed9a9

0957884a5864deb4389da3b68d3d2a139b565241da3bb7b9c4a51c9f83b0f838

 

You can use the following CLI command to search for all PumaBot samples in our portal:

$ polyswarm link list -f PumaBot

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post