Cybersecurity researchers at Solar 4RAYS have uncovered a sophisticated Linux rootkit named Puma, developed and deployed by the pro-Ukrainian threat actor Shedding Zmiy. This discovery represents a significant evolution in malware capabilities, particularly in its advanced stealth mechanisms and persistent threat characteristics.
Anatomy of the Advanced Persistent Threat
The malware was identified during a security incident investigation at a Russian IT company, where threat actors maintained unauthorized access for approximately 18 months. Initial compromise occurred through a Bitrix software vulnerability in August 2023, followed by widespread system infection in November 2023. The attack vector involved suspicious SSH connections utilizing privileged credentials, demonstrating the attackers’ sophisticated lateral movement capabilities.
Technical Analysis of the Puma Rootkit
The Puma rootkit, engineered as a Linux kernel module in C, operates in conjunction with its command-and-control component, Pumatsune. The malware’s sophisticated capabilities include process hiding, system call interception, and data exfiltration mechanisms. This combination of features makes Puma particularly challenging to detect using conventional security tools.
Advanced Malware Arsenal
Beyond the Puma rootkit, the threat actors deployed multiple malicious tools, including the Megatsune rootkit and various versions of the Bulldog Backdoor. The attackers demonstrated advanced tradecraft by implementing modified system utilities and sophisticated process masquerading techniques to evade detection and maintain persistence.
Strategic Threat Assessment
Shedding Zmiy has emerged as a significant threat actor, demonstrating remarkable adaptability in their attack methodologies. According to Solar 4RAYS analysis, the group was responsible for 34% of investigated security incidents in 2024. Their tactics range from long-term cyber espionage to destructive attacks, including infrastructure encryption and destruction, depending on target profiling.
The discovery of the Puma rootkit marks a significant milestone in the evolution of cyber threats targeting Linux systems. Security professionals must implement comprehensive defense strategies, including enhanced system monitoring, regular security updates, and proactive threat hunting capabilities. The sophisticated nature of this threat underscores the critical importance of maintaining robust security postures and implementing advanced detection mechanisms to identify and mitigate such evolving cyber threats effectively. Organizations are advised to conduct regular security assessments and maintain up-to-date incident response plans to address this emerging class of advanced persistent threats.
