Analysis Summary

PumaBot is a newly discovered Linux-based malware, first reported in May 2025 by cybersecurity researchers. It mainly targets Internet of Things (IoT) devices and Linux servers by breaking into systems through weak SSH passwords. Unlike typical botnets that scan the internet loudly, PumaBot quietly gets target IPs from its command-and-control (C2) server and tries to log in using stolen credentials.

Once inside a system, PumaBot hides itself by pretending to be normal files (like Redis) and creates fake services to stay active. It also adds its own SSH key to ensure it can get back in anytime. One of its most dangerous tricks is replacing the login system (PAM module) to secretly steal usernames and passwords, then send them to its C2 servers.

PumaBot is designed to stay hidden and be hard to remove. It uses Go programming, disables security features like SELinux, and changes SSH settings to avoid being caught. This botnet is a serious threat as it focuses on silent attacks, stealing credentials, and keeping long-term control of infected systems.

Impact

• Data Exfiltration
• Unauthorized Access
• Credential Theft

Indicators of Compromise

SHA1

• c39c96dc5c1e640d081da30cf8f0638689700483
• 2c54bfe5145be3d28f5899962f5c570a34de15fb
• 5a1448bb86d5658f396c463f08774fdf171245e6
• 6710f3847b805a75eab797959094acaeaa29d6aa
• a85c6874884f7d6df2587fd51f65ff7593569683
• 158f869a1ae3aa2a3586920e788a9110b7495b9d

URL

• http://ssh.ddos-cc.org:55554/
• http://ssh.ddos-cc.org:55554/log_success
• http://ssh.ddos-cc.org:55554/get_cmd
• http://ssh.ddos-cc.org:55554/pwd.txt
• https://dow.17kp.xyz/
• https://input.17kp.xyz/
• https://db.17kp.xyz/
• http://1.lusyn.xyz/
• http://1.lusyn.xyz/jc/1
• http://1.lusyn.xyz/jc/jc.sh

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Use strong, unique SSH passwords or, ideally, SSH key-based authentication.
• Disable SSH access from unknown or untrusted IP addresses.
• Regularly monitor and audit running services and background processes.
• Check for unauthorized modifications to system files and authentication modules.
• Block known malicious command-and-control (C2) domains and IPs through firewalls or DNS filtering.
• Enable and properly configure security frameworks like SELinux or AppArmor.
• Deploy antivirus or endpoint detection tools that can spot rootkits and stealthy malware.
• Keep all systems, software, and dependencies updated with the latest security patches.