PumaBot is a newly identified Linux-based botnet written in Go, specifically targeting Internet of Things (IoT) devices, with a focus on surveillance systems. The botnet operates by brute-forcing SSH credentials using credential lists obtained from a command and control (C2) server. Once access is gained, PumaBot deploys itself onto the compromised device and establishes persistence by masquerading as legitimate system files and creating systemd services. It also adds SSH keys to maintain backdoor access, allowing the attacker to regain control even after reboots or attempts to remove the malware. PumaBot includes modules for credential theft and system monitoring, indicating its intent to harvest sensitive information and maintain long-term surveillance of infected devices. The malware employs sophisticated evasion techniques to avoid detection, including disguising its files and processes. The botnet’s tactics align with multiple MITRE ATT&CK techniques such as T1021.004 (SSH Remote Services), T1082 (System Information Discovery), T1205 (Traffic Signaling), T1562.004 (Impair Defenses: Disable or Modify Tools), and others related to persistence, credential access, and lateral movement. Although no known exploits are currently reported in the wild, the botnet’s ability to brute-force SSH credentials and establish persistent backdoors poses a significant threat to IoT surveillance devices, which often have weak security configurations. The use of Go language enhances cross-platform capabilities and complicates reverse engineering efforts. PumaBot’s focus on surveillance devices is particularly concerning as these devices often handle sensitive video feeds and are integral to physical security infrastructures.

For European organizations, the emergence of PumaBot presents a substantial risk, especially for entities relying on IoT surveillance devices such as smart cameras, IP-based security systems, and other Linux-based embedded devices. Compromise of these devices can lead to unauthorized access to sensitive video streams, enabling espionage, privacy violations, and potential manipulation of security monitoring. The persistence mechanisms and backdoor access allow attackers to maintain long-term control, facilitating further lateral movement within networks or use of compromised devices as part of larger botnet operations (e.g., DDoS attacks). The theft of credentials and system monitoring capabilities can expose internal network information, increasing the risk of broader compromise. Given the widespread adoption of IoT surveillance in sectors like critical infrastructure, transportation, retail, and public safety across Europe, the botnet could disrupt operational continuity and erode trust in security systems. Additionally, the botnet’s evasion techniques may delay detection and remediation, increasing the window of exposure. The medium severity rating reflects the balance between the complexity of exploitation (requiring brute-force attempts) and the significant impact on confidentiality and availability of surveillance systems.

European organizations should implement targeted measures beyond generic advice to mitigate PumaBot risks. First, enforce strong, unique SSH credentials on all IoT surveillance devices, avoiding default or weak passwords to prevent brute-force success. Deploy network segmentation to isolate IoT devices from critical internal networks, limiting lateral movement opportunities. Enable and monitor SSH login attempts, employing rate limiting and account lockout policies to disrupt brute-force attacks. Utilize multi-factor authentication (MFA) for SSH access where supported. Regularly audit devices for unauthorized systemd services, suspicious SSH keys, and disguised files indicative of PumaBot persistence. Employ endpoint detection solutions capable of identifying anomalous process behaviors and file modifications on Linux-based IoT devices. Maintain up-to-date firmware and software on surveillance devices, applying security patches promptly. Consider deploying honeypots or deception technologies to detect early intrusion attempts targeting IoT devices. Finally, establish incident response plans specifically addressing IoT device compromise, including rapid isolation and forensic analysis procedures.