**New Go-Based Botnet PumaBot Targets IoT Devices for Corporate Infiltration**
Security researchers at Darktrace have uncovered PumaBot, a sophisticated Go-based Linux botnet that brute-forces SSH credentials on embedded IoT devices—particularly surveillance and traffic cameras—to deploy malicious payloads. Unlike traditional botnets that scan the internet broadly, PumaBot operates with precision, targeting specific IP addresses provided by its command-and-control (C2) server (ssh.ddos-cc.org).
The attack begins with the botnet receiving a curated list of target IPs from its C2. It then attempts to gain access via port 22 (SSH), checking for the string "Pumatronix"—a possible indicator of surveillance hardware from a specific vendor. Once inside, PumaBot verifies the device isn’t a honeypot by running uname -a, then establishes persistence by writing its binary (jierui) to /lib/redis and creating a systemd service (redis.service). It also injects its SSH key into authorized_keys to maintain access even if the primary infection is removed.
Active infections enable further compromise, including data exfiltration, payload delivery, and lateral movement. Darktrace observed payloads such as self-updating scripts, a PAM rootkit that replaces pam_unix.so to harvest SSH credentials, and a daemon (binary "1") that monitors and exfiltrates stolen data stored in con.txt before wiping the file to cover its tracks.
While the botnet’s scale remains unclear, its targeted approach suggests a focus on corporate network infiltration rather than low-level cybercrime like DDoS attacks. The discovery highlights the growing threat of IoT-focused malware designed to breach enterprise environments.
TPRM report: https://www.rankiteo.com/company/perkons-sa
"id": "per1765238749",
"linkid": "perkons-sa",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Surveillance/Traffic Monitoring',
'name': 'Pumatronix (suspected vendor of targeted '
'surveillance/traffic camera systems)',
'type': 'IoT Device Manufacturer'}],
'attack_vector': 'SSH Brute-Force',
'data_breach': {'data_exfiltration': 'Yes (credentials stored in con.txt and '
'exfiltrated to C2)',
'file_types_exposed': ['Text files (con.txt)'],
'personally_identifiable_information': 'Possible (if SSH '
'credentials include '
'PII)',
'sensitivity_of_data': 'High (SSH credentials, potential PII)',
'type_of_data_compromised': ['SSH credentials',
'Environment information',
'Potentially surveillance data']},
'description': 'A newly discovered Go-based Linux botnet malware named '
'PumaBot is brute-forcing SSH credentials on embedded IoT '
'devices to deploy malicious payloads. The malware targets '
'specific IPs based on lists pulled from a command-and-control '
'(C2) server, focusing on surveillance and traffic camera '
'systems. Once access is gained, it establishes persistence, '
'exfiltrates data, and can introduce additional payloads for '
'lateral movement.',
'impact': {'data_compromised': 'SSH login credentials, environment '
'information, potentially sensitive '
'surveillance data',
'identity_theft_risk': 'High (if SSH credentials include PII)',
'operational_impact': 'Potential unauthorized access to corporate '
'networks, data exfiltration, and lateral '
'movement',
'systems_affected': 'Embedded IoT devices, particularly '
'surveillance and traffic camera systems'},
'initial_access_broker': {'backdoors_established': 'SSH authorized_keys '
'injection, systemd '
'service (redis.service)',
'entry_point': 'SSH brute-forcing',
'high_value_targets': 'Surveillance and traffic '
'camera systems (Pumatronix '
'devices)'},
'investigation_status': 'Ongoing (size and success of PumaBot unknown)',
'lessons_learned': 'Targeted IoT botnets like PumaBot can facilitate deeper '
'corporate network infiltration. Default credentials and '
'weak SSH security are critical vulnerabilities. Network '
'segmentation and firmware updates are essential defenses.',
'motivation': 'Data exfiltration, lateral movement, potential corporate '
'network infiltration',
'post_incident_analysis': {'corrective_actions': ['Enforce strong SSH '
'credentials',
'Implement network '
'segmentation',
'Regularly update IoT '
'device firmware',
'Monitor for IoCs '
'associated with PumaBot'],
'root_causes': ['Weak or default SSH credentials '
'on IoT devices',
'Lack of network segmentation',
'Outdated firmware on IoT '
'devices']},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': ['Upgrade IoT devices to the latest firmware',
'Change default credentials',
'Place IoT devices behind firewalls',
'Isolate IoT devices in separate networks from valuable '
'systems',
'Monitor for unusual SSH login attempts',
'Implement detection rules for PumaBot IoCs'],
'references': [{'source': 'Darktrace'}],
'response': {'enhanced_monitoring': 'Recommended',
'network_segmentation': 'Recommended (isolate IoT devices from '
'valuable systems)',
'third_party_assistance': 'Darktrace (documented the attack '
'flow, IoCs, and detection rules)'},
'title': 'PumaBot: Go-Based Linux Botnet Targeting IoT Devices via SSH '
'Brute-Forcing',
'type': 'Botnet',
'vulnerability_exploited': 'Weak or default SSH credentials'}