A new botnet named PumaBot is quietly taking over Linux-based IoT devices worldwide. Unlike other botnets, it doesn’t randomly attack the internet. Instead, it uses precise tactics to breach security cameras, routers, and smart gadgets. Here’s what you need to know.
What makes PumaBot different?
Most botnets send login attempts to random IP addresses. PumaBot, on the other hand, is smarter. It gets its target lists from its command center (ssh.ddos-cc[.]org), then attacks those devices with SSH password guesses. It’s like a burglar targeting houses with known weak locks.
“This isn’t some kid in a basement randomly attacking devices,” says a cybersecurity analyst. “PumaBot operators are professionals using military-style reconnaissance.”
How PumaBot sneaks into devices
The attack unfolds in three steps:
Step 1: The fake ID check
Before attacking, PumaBot checks if a device is real. It looks for the string “Pumatronix” – a known maker of traffic cameras. This suggests attackers target specific gear or avoid decoy systems.
Step 2: The camouflage
Once inside, PumaBot disguises itself as Redis database software. It hides in /lib/redis and creates fake system services named redis.service or mysqI.service (with a capital I to trick admins).
Step 3: The backdoor
The botnet plants its own SSH key in the authorized_keys file. Even if you delete the malware, this secret key lets attackers waltz back in anytime.
What happens after infection?
Compromised devices become crypto-mining slaves and data thieves. Darktrace researchers found PumaBot:
• Runs XMRig software to mine Monero cryptocurrency
• Installs rootkits that steal login credentials
• Uses networkxm tool for more SSH attacks
• Exfiltrates stolen data through Chinese domains like lusyn[.]xyz
The most disturbing component? A malicious pam_unix.so file that intercepts every successful login. Stolen passwords get saved to /usr/bin/con.txt before being sent to attackers.
Why your old security camera is at risk
PumaBot targets two common IoT weaknesses:
1. Default passwords: Many devices never change factory-set logins like admin/admin
2. Outdated software: Manufacturers often stop updating devices after 2-3 years
“Your grandma’s internet-connected thermostat could be mining crypto right now,” jokes a reddit user discussing the botnet. The scary truth? They’re not entirely wrong.
How to protect your devices
Cybersecurity experts recommend four key steps:
1. Change default passwords: Make new credentials at least 12 characters with mixed symbols
2. Block SSH from the internet: Use VPNs for remote access instead of open ports
3. Hunt for fake services: Check /etc/systemd/system for suspicious entries
4. Monitor SSH logs: Look for repeated failed login attempts from strange locations
As PumaBot continues evolving, one thing’s clear: IoT security can’t be an afterthought anymore. Your smart fridge might just be the weakest link in your digital life.
