A sophisticated new malware strain dubbed PumaBot has emerged in the cybersecurity landscape, specifically targeting Internet of Things (IoT) devices through aggressive SSH credential brute-forcing campaigns.

This latest threat represents a significant evolution in IoT-focused malware, demonstrating advanced persistence mechanisms and stealth capabilities that allow it to maintain long-term access to compromised devices across diverse network infrastructures.

The malware first appeared in late 2024, initially targeting poorly secured IoT devices including IP cameras, routers, and industrial control systems that maintain default or weak SSH credentials.

PumaBot’s attack methodology begins with systematic network scanning to identify devices with exposed SSH services, followed by dictionary-based brute force attacks using common username and password combinations.

Once successful authentication occurs, the malware establishes persistent backdoors and begins recruiting the compromised device into its expanding botnet infrastructure.

DARKTRACE analysts recently identified PumaBot during routine threat hunting operations, noting its sophisticated evasion techniques and multi-stage payload delivery system.

The researchers observed that unlike traditional IoT malware families, PumaBot employs advanced anti-analysis measures including process name obfuscation, memory-only execution phases, and dynamic command-and-control server rotation to avoid detection by conventional security monitoring systems.

The impact of PumaBot infections extends beyond typical botnet activities, as the malware establishes comprehensive device control that enables various malicious operations including distributed denial-of-service attacks, cryptocurrency mining, and lateral movement within enterprise networks.

Organizations with large IoT deployments face particular risk, as a single compromised device can serve as an entry point for broader network infiltration and data exfiltration activities.

Current intelligence suggests PumaBot has successfully compromised tens of thousands of devices globally, with infections concentrated in regions with high IoT device density and inadequate cybersecurity practices.

The malware’s ability to persist through device reboots and firmware updates makes remediation particularly challenging, requiring comprehensive device reimaging and credential rotation to ensure complete removal.

Advanced SSH Exploitation and Persistence Mechanisms

PumaBot’s SSH exploitation capabilities represent a significant advancement in automated credential compromise techniques, utilizing sophisticated wordlist generation and adaptive timing mechanisms to evade rate-limiting protections.

The malware employs a multi-threaded approach to credential testing, dynamically adjusting connection attempts based on target device responses and implementing intelligent delays to avoid triggering security monitoring systems.

The initial compromise phase begins with PumaBot’s scanning module identifying potential targets through port enumeration and service fingerprinting.

Upon discovering SSH services on port 22 or alternative configurations, the malware initiates credential testing using an embedded dictionary containing over 50,000 username and password combinations, including device-specific defaults and commonly observed weak credentials.

The following code snippet demonstrates the core authentication logic:-

def ssh_bruteforce(target_ip, port=22):
    for username, password in credential_pairs:
        try:
            ssh_client = paramiko.SSHClient()
            ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
            ssh_client.connect(target_ip, port, username, password, timeout=10)
            return establish_persistence(ssh_client, target_ip)
        except paramiko.AuthenticationException:
            continue
        except Exception as e:
            break
    return False

Once successful authentication occurs, PumaBot immediately deploys its persistence framework through multiple redundant mechanisms designed to survive system maintenance and security updates.

The malware creates hidden system services, modifies startup scripts, and establishes cron job entries that ensure automatic execution following device reboots.

Additionally, PumaBot implements a novel technique involving SSH key injection, where it generates and installs authorized public keys that provide password-free access for future connections.

The persistence architecture includes a sophisticated watchdog system that monitors for removal attempts and automatically reinstalls components if deletion is detected.

This resilience mechanism operates through distributed file placement across multiple system directories and employs file attribute manipulation to hide malicious components from standard administrative tools.

The comprehensive persistence strategy employed by this advanced threat demonstrates the multiple layers of system integration that enable long-term device compromise and control.

Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.