PumaBot Presents A New Threat To IoT Surveillance Devices
In May 2025, cybersecurity firm Darktrace identified a novel botnet named "PumaBot" targeting Internet of Things (IoT) surveillance devices. Unlike traditional botnets that scan the internet indiscriminately, PumaBot employs a more focused approach, retrieving specific targets from a command-and-control (C2) server and attempting to gain access through brute-force attacks on SSH credentials.
Traditionally, a botnet is defined as a network of devices infected with malicious software and controlled as a group without the owners' knowledge. Cybercriminals use botnets to perform various malicious activities, such as launching distributed denial-of-service (DDoS) attacks, sending spam, or stealing data.
IoT devices, including surveillance cameras and network video recorders, are particularly vulnerable to botnet infections due to the manufacturer's and end users' poor security practices. Many IoT devices come with default usernames and passwords, which users often fail to change.
Manufacturers usually do not provide regular security updates, exposing devices to known vulnerabilities for years. To further exacerbate the problem, IoT devices often have minimal security features, making them easy targets for threat actors to exploit.
PumaBot bucks traditional botnet trends in several essential ways, but primarily, the malware distinguishes itself through its targeted approach. Instead of scanning the entire internet, PumaBot contacts its C2 server to receive a list of specific IP addresses to target. It attempts to gain access to these devices by systematically trying various username and password combinations over SSH (Secure Shell), a protocol used for secure remote login.
This brute force attack method highlights the importance of using strong username and password combinations. Relying on default passwords provided by the manufacturer simply is not good enough to prevent device compromise.
Upon successful login, PumaBot installs itself on the device and modifies system files to ensure it remains active even after reboots. It also ensures the botnet malware is persistent. The now-infected device communicates with the C2 server to receive further instructions, including launching attacks or spreading the malware to other devices.
The infection of IoT surveillance devices by PumaBot poses several risks to enterprises that are compromised by the malware. This includes infected devices used in DDoS attacks to flood targeted systems with traffic, causing service disruptions.
Once threat actors have compromised an IoT security device, they could access sensitive video footage or other data stored on the devices, posing significant security problems. Further, once inside a network, PumaBot could move laterally to infect other devices or systems.
Darktrace researchers concluded,
The botnet represents a persistent Go-based SSH threat that leverages automation, credential brute-forcing, and native Linux tools to gain and maintain control over compromised systems. By mimicking legitimate binaries (e.g., Redis), abusing systemd for persistence, and embedding fingerprinting logic to avoid detection in honeypots or restricted environments, it demonstrates an intent to evade defenses...While it does not appear to propagate automatically like a traditional worm, it does maintain worm-like behavior by brute-forcing targets, suggesting a semi-automated botnet campaign focused on device compromise and long-term access.
To protect against IoT devices from threats like PumaBot, the following mitigation steps are strongly advised:
Change Default Credentials: Immediately update default usernames and passwords to strong, unique combinations.
Regular Updates: Ensure devices run the latest firmware and security patches manufacturers provide.
Disable Unused Services: Turn off unnecessary features or services attackers could exploit.
Network Segmentation: Isolate IoT devices on separate networks to prevent the potential spread of infections.
Monitor Network Traffic: Use intrusion detection systems to identify unusual activities that may indicate a compromise.
GoLang's Increasing Use as a Malware Development Tool
GoLang, often just simply referred to as Go, is a statically typed, compiled programming language developed by Google and first released in 2009. It's known for its efficiency, concurrency features, and ease of use. Go is widely used for building backend applications, cloud infrastructure, and command-line interfaces.
Go offers several features that make it appealing to malware developers. One of its most attractive aspects is the ability to compile a single codebase for multiple major operating systems, including Windows, macOS, and Linux.
This cross-platform capability allows attackers to develop and maintain just one codebase to target a wide range of systems, rather than managing separate code repositories for each platform, as is often required with other programming languages.
While some attackers have used universal scripting languages like Python, these approaches have drawbacks. As Windows does not natively support Python, attackers must use tools like PyInstaller to package their payloads for execution. These tools tend to leave artifacts on the system, potentially aiding detection. In contrast, Go does not leave such artifacts, which can make attacks more stealthy.
Another characteristic of Go that can benefit attackers is its use of static linking, which includes all necessary libraries within the compiled binary. This results in significantly larger file sizes, with the average size of Go-based malware samples being around 4.65MB, much larger than typical malware.
While this size can be a disadvantage for delivery methods like phishing emails or embedding in malware trojans, it can also serve as a benefit. Some antivirus products may overlook or fail to scan overly large files.
Golang's versatility has made it a preferred tool for financially motivated cybercriminal developers. Rather than rewriting malware separately for Windows, macOS, and Linux, these actors can use Golang to cross-compile a single codebase, enabling them to target multiple platforms with minimal effort. Additionally, Golang is often used as a wrapper for various types of cybercrime malware, including ransomware.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion