Ddos 
Cybersecurity researchers at Darktrace have exposed a stealthy and persistent Linux-based botnet dubbed PumaBot, which leverages Go binaries, SSH brute-force attacks, and custom backdoors to target Internet of Things (IoT) devices. Unlike traditional botnets that rely on noisy internet-wide scanning, PumaBot adopts a more targeted and evasive strategy, making it harder to detect and more resilient against takedowns.
“Rather than scanning the Internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute-force SSH credentials,” Darktrace explained in its technical breakdown.
The initial infection begins when PumaBot pulls a list of IP addresses with open SSH ports from a C2 domain (ssh.ddos-cc[.]org). It then attempts brute-force logins using credentials also provided by the C2, aided by environment fingerprinting to evade detection.
Notably, the malware:
- Executes uname -a to gather system information.
- Uses a custom HTTP header X-API-KEY: jieruidashabi.
- Writes itself to /lib/redis disguised as a Redis file.
- Persists via systemd services (redis.service or misspelled mysqI.service).
“The malware also adds its own SSH keys into the users’ authorized_keys file,” ensuring persistent access even if its service is removed.
Darktrace found multiple binaries associated with the PumaBot campaign:
- ddaemon: A Go-based backdoor that self-updates from db.17kp[.]xyz and installs the SSH brute-forcing tool networkxm. It persists via a dedicated systemd service.
- networkxm: A standalone brute-force tool that fetches credentials and target IPs from the same C2 infrastructure. It operates in an infinite loop and establishes persistence with networkxm.service.
- jc.sh and PAM Rootkit: The malware executes a bash script (jc.sh) which:
- Downloads and replaces the system’s PAM authentication module (pam_unix.so) with a malicious version.
- Steals SSH credentials by logging them to /usr/bin/con.txt.
- Uses a daemonized binary (1) to monitor and exfiltrate stolen data to lusyn[.]xyz.
“The purpose of this binary is to act as a rootkit that steals credentials by intercepting successful logins… The details are stored in a file ‘con.txt’ in /usr/bin/,” the report reveals.
PumaBot and its associated payloads show a high degree of stealth:
- Masquerading as system binaries (e.g., Redis)
- Utilizing systemd for persistence
- Bypassing basic detection via environmental checks
- Disabling SELinux and modifying SSH configuration
“The botnet represents a persistent Go-based SSH threat… It demonstrates an intent to evade defenses,” concludes Darktrace.
Donate