In the constantly evolving world of cybersecurity threats, a new digital predator is on the loose—and it’s targeting the increasingly ubiquitous Internet of Things (IoT). Dubbed PumaBot, this stealthy and highly persistent botnet is written in Go and is now actively compromising embedded Linux-based IoT devices, using brute-force tactics and advanced camouflage to stay hidden while building an underground network of compromised systems.

Unlike traditional botnets that scan the internet for vulnerable targets, PumaBot follows a more targeted and controlled approach. According to cybersecurity firm Darktrace, which analyzed the malware and shared its findings with The Hacker News, PumaBot doesn't blindly scan IP ranges. Instead, it retrieves a pre-selected list of targets from a command-and-control (C2) server—specifically from ssh.ddos-cc[.]org—and launches brute-force SSH login attacks to gain access.

Once inside a device, PumaBot isn’t just content with initial access. It immediately checks for signs of a honeypot—a cybersecurity trap set to monitor or catch malware. The botnet also scans for the presence of the string "Pumatronix," a company known for manufacturing surveillance and traffic camera systems, hinting at either a specific targeting method or an exclusion mechanism for certain systems.

When the target passes these checks, PumaBot proceeds with its mission:

• Collect basic system data
  
  
• Send the data back to the C2 server
  
  
• Establish persistence using system service files disguised to appear legitimate
  
  

To blend in, the malware writes itself to the path /lib/redis, mimicking a legitimate Redis system file. It also sets up a systemd service named redis.service or a deceptively named mysqI.service (note the capital “I”) to ensure it survives reboots and maintains control over the infected device.

But its goals go beyond just access and persistence. PumaBot is designed for profit—it installs and runs cryptomining operations on the compromised systems. Two key commands, "xmrig" and "networkxm", point to illicit cryptocurrency mining, a method that consumes system resources for the attacker’s financial gain.

Darktrace's analysis uncovered several related components suggesting a wider and more sophisticated operation:

• ddaemon: A Go-based backdoor that downloads and executes “networkxm” and a script called “installx.sh”
  
  
• networkxm: Another brute-force tool, used to expand the botnet further
  
  
• sh: A script that downloads and runs “jc.sh” while clearing bash history to cover tracks
  
  
• sh: Retrieves a malicious pam_unix.so file (used for credential theft) and another binary called “1”
  
  
• so: Replaces the legitimate Linux file to steal user login credentials, writing them to /usr/bin/con.txt
  
  
• Binary “1”: Monitors for the file “con.txt” and exfiltrates the stolen credentials to the attacker
  
  

This modular attack chain highlights how PumaBot is more than just another botnet—it’s a worm-like, multi-stage cyber threat with a clear strategy to evade detection, gain long-term access, and extract both system value and sensitive data.

What You Should Watch Out For

Given its SSH brute-force tactics, PumaBot exhibits worm-like self-spreading behavior. Users and administrators should be vigilant and take the following precautions:

• Monitor failed SSH login attempts for anomalies
• Regularly audit systemd services for unusual entries
• Check for unauthorized entries in authorized_keys files
• Apply strict firewall rules to minimize SSH exposure
• Filter suspicious HTTP requests—especially those with headers like X-API-KEY: jieruidashabi

Darktrace warns that PumaBot is “a persistent Go-based SSH threat” that uses automation, Linux-native tools, and legitimate-looking disguises to maintain control while hiding in plain sight. Its tactics of mimicking common binaries like Redis, leveraging systemd for stealthy persistence, and avoiding honeypots reveal a calculated effort to bypass traditional security defenses.

As IoT devices continue to grow in number—and as many remain poorly secured—PumaBot’s emergence is a stark reminder: every connected device can become a gateway for cybercrime if left unprotected.