• Cyber Syrup
  • Posts
  • PumaBot: New Go-Based Botnet Targets Embedded Linux IoT Devices via SSH Brute-Force

PumaBot: New Go-Based Botnet Targets Embedded Linux IoT Devices via SSH Brute-Force

Security researchers have identified a new malware campaign targeting Linux-based embedded Internet of Things (IoT) devices

May 29, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

PumaBot: New Go-Based Botnet Targets Embedded Linux IoT Devices via SSH Brute-Force

Security researchers have identified a new malware campaign targeting Linux-based embedded Internet of Things (IoT) devices, using a botnet dubbed PumaBot. Written in the Go programming language, PumaBot is engineered to brute-force SSH credentials, gain persistence, and deliver additional malicious payloads, including cryptocurrency miners and backdoors.

According to a recent analysis by Darktrace, the botnet avoids internet-wide scanning. Instead, it obtains a curated list of target IPs from a command-and-control (C2) server and selectively initiates attacks, making it more stealthy and deliberate than traditional botnets.

How PumaBot Gains Access

PumaBot begins by retrieving a list of potential SSH targets from ssh.ddos-cc[.]org. It attempts to brute-force login credentials for each IP address, specifically targeting systems with open SSH ports.

Before executing brute-force attempts, PumaBot performs environmental checks to determine whether the system is:

  • A honeypot (used by researchers to detect malware behavior)

  • Running software or containing identifiers related to Pumatronix, a manufacturer of surveillance and traffic camera systems

This fingerprinting process helps the malware select appropriate targets and avoid detection environments.

Establishing Persistence and Disguise

Once PumaBot gains access to a system, it performs the following actions:

  1. System Reconnaissance
    It collects and exfiltrates basic host data to its C2 server.

  2. Persistence Setup
    It copies itself to /lib/redis, masquerading as a legitimate Redis library.

  3. Service Creation
    PumaBot sets up a systemd service at /etc/systemd/system, disguising itself as:

    • redis.service or

    • mysqI.service (with a capital “I” to imitate mysql)

This ensures that the malware survives reboots and appears benign at a glance.

Malicious Commands and Payloads

PumaBot executes commands such as xmrig and networkxm, indicating that it is used to mine cryptocurrency, likely Monero, given the use of XMRig. These binaries are not embedded in the initial payload, suggesting they are downloaded or unpacked elsewhere on the host system.

Darktrace’s analysis revealed additional payloads and shell scripts involved in PumaBot’s extended capabilities:

1. ddaemon

A Go-based backdoor that:

  • Retrieves networkxm binary

  • Executes the installx.sh script

2. networkxm

An SSH brute-force utility that:

  • Fetches a password list from a C2 server

  • Attempts logins across the listed IPs

3. installx.sh

A shell script that:

  • Downloads jc.sh from 1.lusyn[.]xyz

  • Grants it execution permissions

  • Clears bash history after execution

4. jc.sh

Performs:

  • Replacement of the legitimate pam_unix.so file with a malicious variant

  • Execution of another binary named 1

5. pam_unix.so

A credential-stealing rootkit:

  • Intercepts successful logins

  • Logs credentials to /usr/bin/con.txt

6. 1

A monitoring tool that:

  • Watches for the creation of con.txt

  • Exfiltrates its contents to the same C2 server

Detection and Mitigation Guidance

PumaBot’s use of automation, native Linux tools, and stealth techniques makes it particularly dangerous for unmanaged or insecure IoT devices. Given its worm-like spreading method, administrators are urged to adopt the following measures:

  • Monitor SSH logs for repeated failed login attempts

  • Audit systemd services for suspicious entries like redis.service or mysqI.service

  • Review SSH authorized_keys for unfamiliar public keys

  • Apply strict firewall rules to restrict SSH exposure

  • Block outbound requests to suspicious domains and monitor for headers like X-API-KEY: jieruidashabi

“The botnet represents a persistent Go-based SSH threat that leverages automation, credential brute-forcing, and native Linux tools to gain and maintain control over compromised systems,” Darktrace noted.

Conclusion

PumaBot is a sophisticated malware strain that blends stealth, adaptability, and monetization. By targeting exposed SSH services on embedded Linux devices, disguising itself as legitimate system components, and using modular payloads for credential theft and mining, PumaBot underscores the importance of basic security hygiene, regular patching, and proactive system monitoring in today’s threat landscape.