Darktrace researchers have uncovered PumaBot, a Go-based Linux botnet that uses SSH password-guessing against specific IP targets provided by its C2 server. Unlike typical internet-wide scanners, PumaBot receives curated target lists and focuses on Pumatronix traffic cameras and surveillance equipment, establishing miners, credential stealers, and PAM-based persistence once inside.
Advanced Targeting and Attack Methodology
Unlike conventional botnet malware, PumaBot employs a highly selective approach to target acquisition. The malware receives specific IP address lists from its command and control (C2) server through the domain ssh.ddos-cc[.]org, subsequently launching precise SSH brute-force attacks against port 22 of selected targets. A notable characteristic of the malware is its specific search for “Pumatronix” strings within compromised systems, suggesting a targeted campaign against surveillance equipment and traffic cameras manufactured by this vendor.
Sophisticated System Persistence Techniques
Upon successful infiltration, PumaBot implements a multi-stage persistence strategy that demonstrates considerable technical sophistication. The malware first performs environment validation using uname -a commands to detect potential honeypots. It then establishes persistence by disguising its primary executable as a legitimate Redis component within the /lib/redis directory and creates systemd services masquerading as either redis.service or mysqI.service.
Malicious Component Analysis
Security analysis reveals several malicious components deployed post-compromise:
- Self-updating scripts that keep the malware current
- PAM rootkits that replace the system’s
pam_unix.sofile to capture all authentication credentials - Credential-stealing daemons that exfiltrate captured data to the C2
- Cryptocurrency mining modules including
xmrigandnetworkxmimplementations
Credential Theft and Data Exfiltration
The malware’s modified PAM module represents a particularly sophisticated threat, capturing both local and remote SSH credentials and storing them in a con.txt file. This maps directly to modification of Pluggable Authentication Modules, a technique used for credential theft, persistence, and defense evasion. A dedicated daemon then exfiltrates the stolen data to the C2 server and performs cleanup to reduce forensic visibility.
Linux IoT devices with default SSH credentials as primary targets
PumaBot specifically seeks systems containing Pumatronix strings — traffic cameras and surveillance equipment used in transportation and smart-city infrastructure. More broadly, any internet-exposed Linux device with weak or default SSH credentials on port 22 is at risk: IP cameras, DVRs, edge nodes, routers, and embedded systems. Pumatronix product documentation itself references SSH-based management features and secure protocols, which helps explain why exposed administrative services are such a valuable target if password hygiene is weak.
Hardening Linux IoT devices against PumaBot and SSH brute-force
- Disable password-based SSH authentication — require key-based authentication only
- Restrict SSH access by IP using firewall rules or ACLs; disable port 22 from public internet where not needed
- Monitor
/lib/and systemd unit files for unexpected Redis or MySQL service entries masquerading legitimate processes - Audit PAM configuration — verify the integrity of
pam_unix.soand other PAM modules against known-good checksums - Network segment IoT devices so that a compromised camera cannot reach corporate systems or exfiltrate data freely
